All your Facebook Access Tokens are belong to us!

All your Facebook Access Tokens are belong to us!

Hello everyone,

I found two vulnerabilities in facebook android apps:

1- Vulnerability in facebook main app and facebook messenger app for android that allows ANY app on your android device to read and capture your facebook access_token and hijack your facebook account stealthy. to exploit this vulnerability you must have facebook main app and messenger app for android installed on your android device.

 

2- Vulnerability in facebook pages manager for android that allows ANY app on your android device to read and capture you facebook access_token and hijack your facebook account stealthy. to exploit this vulnerability you must have facebook pages manager for android installed on your android device.

 

Now, lets try to exploit the first vulnerability that affects facebook main app and messenger app for android:

Imagine this scenario: you are a facebook user, you have android phone/tablet and you installed facebook main app and messenger app for android, now you got a message from a friend or from someone on facebook, you will open the message to read it and there is an attachment like: a movie, doc, pdf, pic or any files that can be attached in facebook messages, something like this:

 

fb-sdk-vuln

 

As you can see in the above image, you clicked on file to download it and in the same time your facebook access_token is leaked to android logcat which means that ANY android app can read and capture your facebook access_token stealthy and hijack your account :)

If you don’t know what is logcat, it is a tool built into all android devices to collect the log messages from all android apps and you can access it either from adb shell or from a tool in google store called: CatLog

 

Someone may ask: what is the REAL danger of this vulnerability?

Well, the danger is: you have a free/paid android app on your android device (rooted or non rooted device) and the free/paid contains a small function that will read logcat output and send it to their servers :)

Every time you use your facebook main and messenger app to download files from messages, your access_token will be leaked and ANY app even non malicious app can capture these tokens and take over your facebook account :)

 

Look at this image:

 

fb-sdk-vuln2

 

You can see that i captured the access token and pasted it into facebook graph explorer and WOW :)

Note that access_token never expire and with many many scopes to do what i want with your facebook account ;)

 

The vulnerability reported to facebook and it is fixed now and facebook rewarded me with $2500 USD, you must update your facebook apps NOW!

 

fb-main-messenger-bounty

 

Now let’s talk about the second vulnerability:

The vulnerability i found in facebook pages manager app is the same like the other one but to exploit it you need to login to your facebook account and your access token will be leaked to all apps without a need to download ANYTHING from ANYONE :)

I made a pretty detailed video about how to exploit it:

 


Buy this on Selz
Sell digital downloads on Selz
 

 

The vulnerability is now fixed and facebook rewarded me with $3500 USD, and you MUST update your facebook pages manager for android NOW!

fb-bounty-pages

Again, don’t be lazy and update all your apps NOW!

Pro Tip:  You must change your facebook password now if you are using facebook android apps

Stay tuned for more bugs and vulnerabilities, you may subscribe to this blog to get news about upcoming vulns and bugs.

 

7 Comments

  1. Awesome, What about the same apps on IOS ?

    Reply
    • thanks:)

      i tested facebook ios apps and all working great because there is no logcat in ios system

      Reply
  2. That was a low payout. Shame on you Facebook!

    Reply
  3. Hi,

    nice work. Since Android Jelly Bean apps should not be allowed to access other apps’ log files (the corresponding permission was removed). Does the first vulnerability still work under these circumstances? Don’t get me wrong, the majority of users are still pre Jelly Bean so this is a valid bug, I am just curious if I am missing something.

    Thanks,
    Daniel

    Reply
  4. very thanks (y)

    Reply

Leave a Reply