A developer found a way to access any and all Facebook accounts. He reported this to Facebook, which responded by fixing the problem.
Developer Nir Goldshlager found a flaw in Facebook's code that allowed him to take full control over any Facebook account.
"By exploiting this flaw I could steal unique access tokens that provides me full control over any Facebook account," Goldshlager writes in a blog post.
He says the flaw gave full permission allowing access to the messages inbox, outbox, page management, ad management, and private photos and videos.
Click here to see how he did it >
Goldshlager said that the flaw even allowed access to accounts that are protected with 2-step verification.
Fortunately, Goldshlager reported the broken code to Facebook, which has now fixed the problem.
A Facebook PR rep told us:
We applaud the security researcher who brought this issue to our attention and for responsibly reporting the bug to our White Hat Program. We worked with the team to make sure we understood the full scope of the vulnerability, which allowed us to fix it without any evidence that this bug was exploited in the wild. Due to the responsible reporting of this issue to Facebook, we have no evidence that users were impacted by this bug. We have provided a bounty to the researcher to thank them for their contribution to Facebook Security.
He even gives step by step instructions of how he made the exploit work.
just to clarify there is no need for any installed apps on the victim's account, Even if the victim never allowed any application in his Facebook account, I could still be getting full permissions (This bug works on any browser)
So OAuth is used by Facebook to communicate between Applications and Facebook users, Usually users must allow/accept the application request to access their account before the communication can start.
Any Facebook application might ask for different permissions.
The "victim" must have Facebook applications installed. Goldshlager uses Diamond Dash and Texas Holdem Poker as examples...
This part gets complicated but it has something to do with the domain of the app and Facebook OAuth, which is what Facebook uses for authorization.
Next, Goldshlager got blocked with a general error message, but he didn't stop there...
See the rest of the story at Business Insider