Attackers could hijack Facebook accounts by abusing the social networking platform's integration with the Oculus virtual reality headset. Security researchers revealed a CSRF (cross site request forgery) vulnerability that enabled them to connect a target's account to an attacker's Oculus account. This connection could then be used by the attacker to extract the victim's access token and take over the account.
"Oculus enables users to connect their Facebook accounts for a more "social" experience," web security consultant Josip Franjković wrote in his research. "This can be done using both the native Windows Oculus application and using browsers."
I took a deeper look at the native Windows flow, and found a CSRF vulnerability which allowed me to connect a victim's Facebook account to attacker's Oculus account.
In his research, Franjkovic showed how an attacker could hijack Facebook accounts by querying for the victim's Facebook access_token. Using this first-party access_token, which also has access to Facebook's GraphQL endpoint, attackers could get full control of the account using specially crafted GraphQL queries. This is used to change the target account's phone number and finally to change the account's password.
Facebook patched these vulnerabilities after the security researcher reported them under the company's bug bounty program. But he found a login CSRF that could have been used to redirect the victim to an Oculus URL of the attacker's choice, to bypass the first fix. The company has now released another fix to the issue. "The fix was to implement a CSRF check on the /account_receivable/endpoint, AND add an additional click to confirm the link between Facebook and Oculus accounts," Franjković wrote. "I believe this properly fixes the vulnerability without degrading user experience too much."
While it is unclear how much Facebook paid the researcher for these bugs, the company did reveal last week that it had paid over $880,000 in bug bounties in 2017.
- Technical details are available here.
