Researcher reports how to hack Facebook account with Oculus Integration

Researcher finds how to hack Facebook account with Oculus Integration

How to hack a Facebook account is something that almost everyone wants to know – And now, a security researcher has reported to Facebook that Oculus Integration allowed him to hijack Facebook accounts.

According to the findings of a security researcher, Oculus app is vulnerable to exploitation because a malicious actor can hack Facebook account by exploiting Oculus integration. Oculus was established in 2012 and it is most famous for the Oculus Rift Virtual Reality (VR) headset.

To provide its users a more ‘social’ experience Facebook acquired Oculus VR in July 2014. In August 2014, Facebook added Oculus assets to its white hat bug bounty program through which the social network managed to identify various vulnerabilities in Oculus service. Some flaws were of serious nature and a researcher fetched $25,000 for discovering a series of flaws.

Researcher finds how to hack Facebook account with Oculus Integration

Given this vulnerable nature of Oculus VR, web security consultant Josip Franjković decided to probe further into the Oculus app for Windows primarily because it allowed users to link their Facebook account to the app. He identified that using especially designed GraphQL queries, an attacker can easily connect the Facebook account of any user to attacker’s Oculus account. GraphQL query language was developed by Facebook in 2012. It was, therefore, observed by Franjković that it was possible to hijack Facebook accounts through abusing the social network’s integration with Oculus VR headset.

The flaw is basically a cross-site request forgery (CSRF) vulnerability that allows the hijacking on a user’s Facebook account. Once hijacked, the attacker can easily obtain an access token for the account and take full control of it. In a normal scenario, this token cannot be accessed by third-party apps.

Researcher finds how to hack Facebook account with Oculus Integration
Screenshot of the request and the response shared by researcher

The account hijacking mechanism was demonstrated by Franjković where a GraphQL query was used to add a new mobile phone number to the targeted Facebook account. The number was then leveraged for resetting the password of the account.

On October 24, Franjković notified Facebook about this vulnerability; in response to the report, Facebook released a temporary fix by disabling the facebook_login_sso endpoint, which was immediately implemented. Later on October 30, the social network rolled out the permanent fix.

However, merely a few weeks later, Franjković told SecurityWeek that the CSRF flaw was prone to be exploited for bypassing the patch. Then on November 18, another flaw was reported and Facebook again disabled the facebook_login_sso endpoint. Three weeks later Facebook implemented a complete patch.

“The fix was to implement a CSRF check on the /account_receivable/endpoint AND add an additional click to confirm the link between Facebook and Oculus accounts. I believe this properly fixes the vulnerability without degrading user experience too much,” Franjković wrote in his blog.

To go through technical details of this follow this link or read after fix post from the researcher here.

Related Posts