Fresh flaws in Facebook Canvas earn bug bounty hunter a second payday

    Youssef Sammouda, a security researcher, revealed the second set of defects in Facebook Canvas, which, like their predecessors, offer a risk of account takeover. Last year, he received $126,000 in bug bounties for uncovering three issues in Facebook’s Canvas technology, which is used to embed online games and interactive applications.

    Last September, Sammouda wrote a blog post on these issues.

    Sammouda chose to explore the problem again recently, which resulted in the discovery of a new set of issues with Facebook’s OAuth implementation.

    “Meta failed to ensure either in the client-side or server-side applications that the game website would only be able to request an access_token for its application and not a first-party application like Instagram,” said Youssef Sammouda. “It also failed to ensure that the generated Facebook API access_token would only reach the domains/websites that were added by the Facebook first-party application,” he added.

    If these issues had gone unaddressed, an attacker’s website would have been able to obtain a first-party access token and take control of a Facebook account as well as any other accounts linked to it, such as Oculus or Instagram.

    Attempts to Fix the Facebook Flaw

    Last year, Facebook’s initial attempts to resolve the issue were judged to be ineffective. Sammouda uncovered three new issues in particular: a race condition issue, bypasses to the earlier remedy, and a problem with encrypted arguments. Fortunately, Facebook has reinforced its filters and published a more thorough fix in response to Sammouda’s criticisms.

    Sammouda explained: “This was resolved by Meta by making sure that parameters passed in the OAuth endpoint request from the game website were whitelisted and also by always enforcing the value of app_id and client_id parameters passed to be always the game application ID that’s making the request.”

    Sammouda issued a follow-up blog post last week that delves deeper into the flaws in Facebook’s first attempt to address the issue. Sammouda was paid an additional $98,000 for his follow-up services.

    Related Content

    Top Bug Bounty Programs out there

    Recent Articles

    Related Stories

    Newsletter Signup

    Subscribe to our weekly newsletter below and never miss the latest software testing updates.