Skip to content
FOSSBYTES TECH SIMPLIFIED LOGO
Search
  • News
  • Xplained
  • Geek
  • Gaming
  • Streaming
  • Reviews
  • How To
  • Top X
  • Jobs
Menu
  • News
  • Xplained
  • Geek
  • Gaming
  • Streaming
  • Reviews
  • How To
  • Top X
  • Jobs
Facebook Twitter Instagram
Menu
  • News
  • Xplained
  • Geek
  • Gaming
  • Streaming
  • Reviews
  • How To
  • Top X
  • Jobs
FOSSBYTES TECH SIMPLIFIED LOGO
Search
Close
Join Us On Telegram
  • Security

Hacking Facebook By Stealing Facebook Access_tokens In Device Login

  • Adarsh Verma Adarsh Verma
  • July 20, 2016
Tweet
Share
WhatsApp
device login facebook hack

device login facebook hackShort Bytes: A security researcher has located a flaw in Facebook’s device login feature that allows one to easily authorise apps on IoT devices. Due to the lack of CSRF protection, an attacker can fool Facebook’s systems and grab the access_token of the victim. Facebook has now fixed the bug and awarded $5,000 bounty to the white hat hacker.

To make logging into applications and services easily, Facebook introduced Facebook Login for devices. Mainly focused on Internet of Things devices, people could use it for logging into Smart TVs, digital photo frames etc.

While using this feature, your IoT device shows a password that you need to enter on a web page that you open on your PC or smartphone. This could be used to grant permission to new apps and services.

Josip Franjkovic, a renowned Facebook white hat hacker who is one of the Facebook’s top 10 bug reporters since 2013, has found a vulnerability in Facebook’s device login feature.

Hacking Facebook by exploiting device login flow:

To get permission, the new application requests Facebook Graph API to retrieve a hash code and user_code. Then the app tells the user to go to facebook.com/device and enter the user_code provided by Graph API.

The next step involves verification of the application via OAuth flow. Here, the user_code entered by the user is connected to the app code.

Here’s how it looks like:

https://www.facebook.com/v2.5/dialog/oauth?redirect_uri=https%3A%2F%2Fm.facebook.com%2Fdevice.php%3FuserCode%3D{$user_code}&client_id=1234

Now the application can request the Graph API to get the user access_token. 

graph.facebook.com/oauth/device?type=device_token&client_id=1&code=hash_code

Franjkovic found a flaw in the step where user_code is connected to the application_code. This step is performed without any CSRF protection. 

https://m.facebook.com/device.php?userCode=$userCode&code=$appCode

So, to exploit this vulnerability, Franjkovic built his own proof of concept. In his exploit, an attacker requests the user_code as told in the first step and presents a page to the victim using the same. It’s possible due to the lack of any CSRF protection.

Let’s suppose an attacker is able to get a user_code abcd and hash code 1234, he/she can easily fork a page with URL:

https://www.facebook.com/v2.5/dialog/oauth?redirect_uri=https%3A%2F%2Fm.facebook.com%2Fdevice.php%3FuserCode%3Dabcd&client_id=1234

Similarly, the next step involves a successful redirection to something like this: 

https://m.facebook.com/device.php?userCode=abcd&code=aZx…

Now the attacker can get the access_token of the user by requesting:

graph.facebook.com/oauth/device?type=device_token&client_id=1&code=4567

To carry out this exploit, an attacker needs to know that a user has approved some app for Login for Devices. Every device that has Login for Devices enabled and Web OAuth Login disabled, automatically gets m.facebook.com/device.php as a valid redirect.

With further tweaks, a pre-approved application can be exploited to hack a Facebook account.

Franjkovic reported this vulnerability and Facebook has now fixed this bug, awarding him a bug bounty of $5,000.

After the fix, Facebook shows a re-confirmation pop-up each time you use device login. Facebook has further added the missing CSRF protection.

Did you find this article helpful? Don’t forget to drop your feedback in the comments section below.

Also Read: Uber Promo Code Hack Shows How To Get Unlimited Free Uber Rides

Adarsh Verma

Adarsh Verma

Fossbytes co-founder and an aspiring entrepreneur who keeps a close eye on open source, tech giants, and security. Get in touch with him by sending an email — [email protected]
More From Fossbytes

Latest On Fossbytes

The Last Of Us Episode 5 To Premiere Early On HBO Max. Here's When & How To Watch It For Free

The Last Of Us Episode 5 To Premiere Early On HBO Max. Here’s When & How To Watch It For Free

Thanks for the Super Bowl.

When And Where To Watch Grammys 2023? Red Carpets, Winners, & More

When & Where To Watch Grammys 2023? Red Carpets, Winners, & More

Giddy up! It’s Grammys time.

apple iphone ultra

Apple Is Reportedly Launching A Pricier iPhone Ultra In 2024

Would you buy it?

Is FuboTV Eating Up A Lot Of Your Data? Here's Everything To Know

Is FuboTV Eating A Lot Of Your Data? Here’s Everything To Know

Save more data to stream more.

best pc vr games to play

10 Best PC VR Games To Play In 2023

Take a look at some of the best native and modded PC VR games.

How to access FuboTV's FanView Experience And Multiview?

How To Access FuboTV’s FanView Experience & Multiview

Now catch all the games on one screen.

Find your dream job

tech jobs board by fossbytes banner
  • About Us
  • Privacy Policy
  • Cookie Policy

Fossbytes

Facebook Twitter Instagram
  • Contact Us
  • Work With Us

find your dream job today

FOSSBYTES JOBS

Fossbytes Media Pvt Ltd © 2022

FOSSBYTES
Facebook Twitter Instagram

FIND YOUR DREAM JOB TODAY

FOSSBYTES JOBS
  • About Us
  • Privacy Policy
  • Cookie Policy
  • Contact Us
  • Work With Us

Fossbytes Media Pvt Ltd © 2022

pixel