Hacker Discovers Major Facebook Security Breach, Gains Full Access

Last week, Nir Goldshlager, a hacker who has helped the likes of Google, Twitter, and Facebook plug security holes, blogged about one of his “favorite flaws” he’s found in Facebook. In his blog post he states that he found a way to get full access to a victims Facebook account. This means he could read their inbox, outbox, manage pages and ads, view private photos and videos etc. and he says he can do this “without any installed apps on the victims account”.

How is this possible? How can he do that without having the victim install an app? There are built in apps in Facebook that you don’t have to accept and install and in Facebook Messenger in particular, the access token wouldn’t expire until the victim were to change their password.

How I Hacked Facebook OAuth To Get Full Permission On Any Facebook Account from Nir on Vimeo.

Facebook has since fixed this bug, but it serves to show you can never really be too careful. Even your “private” stuff isn’t necessarily safe. Luckily, Nir is one of the good guys – reporting this to Facebook. What could someone else have done with this type of access? It’s a scary thought.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s