Youssef Sammouda, a security researcher, revealed the second set of defects in Facebook Canvas, which, like their predecessors, offer a risk of account takeover. Last year, he received $126,000 in bug bounties for uncovering three issues in Facebook’s Canvas technology, which is used to embed online games and interactive applications.
Last September, Sammouda wrote a blog post on these issues.
Sammouda chose to explore the problem again recently, which resulted in the discovery of a new set of issues with Facebook’s OAuth implementation.
“Meta failed to ensure either in the client-side or server-side applications that the game website would only be able to request an access_token for its application and not a first-party application like Instagram,” said Youssef Sammouda. “It also failed to ensure that the generated Facebook API access_token would only reach the domains/websites that were added by the Facebook first-party application,” he added.
If these issues had gone unaddressed, an attacker’s website would have been able to obtain a first-party access token and take control of a Facebook account as well as any other accounts linked to it, such as Oculus or Instagram.
Attempts to Fix the Facebook Flaw
Last year, Facebook’s initial attempts to resolve the issue were judged to be ineffective. Sammouda uncovered three new issues in particular: a race condition issue, bypasses to the earlier remedy, and a problem with encrypted arguments. Fortunately, Facebook has reinforced its filters and published a more thorough fix in response to Sammouda’s criticisms.
Sammouda explained: “This was resolved by Meta by making sure that parameters passed in the OAuth endpoint request from the game website were whitelisted and also by always enforcing the value of app_id and client_id parameters passed to be always the game application ID that’s making the request.”
Sammouda issued a follow-up blog post last week that delves deeper into the flaws in Facebook’s first attempt to address the issue. Sammouda was paid an additional $98,000 for his follow-up services.