• Hacking News
    • Leaks
    • WikiLeaks
    • Anonymous
  • Tech
    • Android
    • Apple News
    • BlackBerry
    • Google News
    • Microsoft
    • Motorola
    • Nokia
    • Samsung
    • 3D
  • Cyber Crime
    • Phishing Scam
  • How To
  • Cyber Events
    • Censorship
    • Cyber Attacks
  • Security
    • Malware
  • Surveillance
    • Drones
    • NSA
    • Privacy
  • Explore
    • Gaming
    • Science
    • Viral
HackRead
  • January 22nd, 2021
  • Home
  • Advertise
  • Privacy Policy
  • Contact Us
HackRead
  • Hacking News
    • Leaks
    • WikiLeaks
    • Anonymous
  • Tech
    • Android
    • Apple News
    • BlackBerry
    • Google News
    • Microsoft
    • Motorola
    • Nokia
    • Samsung
    • 3D
  • Cyber Crime
    • Phishing Scam
  • How To
  • Cyber Events
    • Censorship
    • Cyber Attacks
  • Security
    • Malware
  • Surveillance
    • Drones
    • NSA
    • Privacy
  • Explore
    • Gaming
    • Science
    • Viral
  • Follow us
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
Home
Hacking News

Researcher reports how to hack Facebook account with Oculus Integration

January 18th, 2018 Waqas Hacking News, Security 0 comments
Researcher reports how to hack Facebook account with Oculus Integration
Share on FacebookShare on Twitter

How to hack a Facebook account is something that almost everyone wants to know – And now, a security researcher has reported to Facebook that Oculus Integration allowed him to hijack Facebook accounts.

According to the findings of a security researcher, Oculus app is vulnerable to exploitation because a malicious actor can hack Facebook account by exploiting Oculus integration. Oculus was established in 2012 and it is most famous for the Oculus Rift Virtual Reality (VR) headset.

To provide its users a more ‘social’ experience Facebook acquired Oculus VR in July 2014. In August 2014, Facebook added Oculus assets to its white hat bug bounty program through which the social network managed to identify various vulnerabilities in Oculus service. Some flaws were of serious nature and a researcher fetched $25,000 for discovering a series of flaws.

Researcher finds how to hack Facebook account with Oculus Integration

Given this vulnerable nature of Oculus VR, web security consultant Josip Franjković decided to probe further into the Oculus app for Windows primarily because it allowed users to link their Facebook account to the app. He identified that using especially designed GraphQL queries, an attacker can easily connect the Facebook account of any user to attacker’s Oculus account. GraphQL query language was developed by Facebook in 2012. It was, therefore, observed by Franjković that it was possible to hijack Facebook accounts through abusing the social network’s integration with Oculus VR headset.

The flaw is basically a cross-site request forgery (CSRF) vulnerability that allows the hijacking on a user’s Facebook account. Once hijacked, the attacker can easily obtain an access token for the account and take full control of it. In a normal scenario, this token cannot be accessed by third-party apps.

Researcher finds how to hack Facebook account with Oculus Integration

Screenshot of the request and the response shared by researcher

The account hijacking mechanism was demonstrated by Franjković where a GraphQL query was used to add a new mobile phone number to the targeted Facebook account. The number was then leveraged for resetting the password of the account.

On October 24, Franjković notified Facebook about this vulnerability; in response to the report, Facebook released a temporary fix by disabling the facebook_login_sso endpoint, which was immediately implemented. Later on October 30, the social network rolled out the permanent fix.

However, merely a few weeks later, Franjković told SecurityWeek that the CSRF flaw was prone to be exploited for bypassing the patch. Then on November 18, another flaw was reported and Facebook again disabled the facebook_login_sso endpoint. Three weeks later Facebook implemented a complete patch.

“The fix was to implement a CSRF check on the /account_receivable/endpoint AND add an additional click to confirm the link between Facebook and Oculus accounts. I believe this properly fixes the vulnerability without degrading user experience too much,” Franjković wrote in his blog.

To go through technical details of this follow this link or read after fix post from the researcher here.

  • Tags
  • Bug Bounty
  • Facebook
  • Flaw
  • hacking
  • internet
  • Oculus
  • Privacy
  • security
  • Social Media
  • Vulnerability
Facebook Twitter LinkedIn Pinterest
Previous article New macOS malware hijacks DNS settings and takes screenshots
Next article chaiOS "Text Bomb" Can Freeze & Crash Your iPhone
Waqas

Waqas

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Related Posts
Gamarue malware found in UK Govt-funded laptops for homeschoolers

Gamarue malware found in UK Govt-funded laptops for homeschoolers

Shazam Vulnerability exposed location of Android, iOS users

Shazam Vulnerability exposed location of Android, iOS users

Ongoing 'FreakOut' malware attack turns Linux devices into IRC botnet

Ongoing 'FreakOut' malware attack turns Linux devices into IRC botnet

Newsletter

Get the best stories straight into your inbox!



Don’t worry, we don’t spam

Latest Posts
Gamarue malware found in UK Govt-funded laptops for homeschoolers
Security

Gamarue malware found in UK Govt-funded laptops for homeschoolers

16
Shazam Vulnerability exposed location of Android, iOS users
Security

Shazam Vulnerability exposed location of Android, iOS users

148
Ongoing 'FreakOut' malware attack turns Linux devices into IRC botnet
Security

Ongoing 'FreakOut' malware attack turns Linux devices into IRC botnet

96

HACKREAD is a News Platform that centers on InfoSec, Cyber Crime, Privacy, Surveillance and Hacking News with full-scale reviews on Social Media Platforms & Technology trends. Founded in 2011, HackRead is based in the United Kingdom.

Follow us