Last week, Nir Goldshlager, a hacker who has helped the likes of Google, Twitter, and Facebook plug security holes, blogged about one of his “favorite flaws” he’s found in Facebook. In his blog post he states that he found a way to get full access to a victims Facebook account. This means he could read their inbox, outbox, manage pages and ads, view private photos and videos etc. and he says he can do this “without any installed apps on the victims account”.
How is this possible? How can he do that without having the victim install an app? There are built in apps in Facebook that you don’t have to accept and install and in Facebook Messenger in particular, the access token wouldn’t expire until the victim were to change their password.
Facebook has since fixed this bug, but it serves to show you can never really be too careful. Even your “private” stuff isn’t necessarily safe. Luckily, Nir is one of the good guys – reporting this to Facebook. What could someone else have done with this type of access? It’s a scary thought.