{"id":8552,"date":"2013-02-22T14:36:38","date_gmt":"2013-02-22T22:36:38","guid":{"rendered":"http:\/\/www.perivision.net\/wordpress\/?p=8552"},"modified":"2013-02-22T14:42:28","modified_gmt":"2013-02-22T22:42:28","slug":"how-to-hack-facebook-though-oauth","status":"publish","type":"post","link":"https:\/\/www.perivision.net\/wordpress\/2013\/02\/how-to-hack-facebook-though-oauth\/","title":{"rendered":"How to hack Facebook through OAuth"},"content":{"rendered":"

Well, this not good for facebook. Your worried about your privacy?\u00a0 Try to use all the tools to protect yourself that facebook provides?\u00a0 May not matter.\u00a0 Check this out below.<\/p>\n

In Nir Goldshlager<\/a>‘ post, he outlines, almost step by step, how you can perform the same ‘hack’.\u00a0 Facebook claims to have fixed this, but Nir says there are others and he will post them soon.<\/p>\n

I decided to share one of my favorite flaws i discovered in\u00a0 facebook.com<\/a>,<\/p>\n

This flaw allowed me to take a full control over any Facebook account,By exploiting this flaw I could steal unique access tokens that provides me full control over any Facebook account,<\/div>\n
\u00a0 \u00a0<\/b><\/div>\n
just to clarify\u00a0there is no need for any installed apps on the victim’s account, Even if the victim never allowed any application in his\u00a0 Facebook account, I could still be getting full permissions (This bug works on any browser)<\/b><\/div>\n
To make this exploit work, The victim only need to visit a webpage,
\nSo OAuth is used by Facebook to communicate between Applications and Facebook users, Usally users must allow\/accept the application request to access their account before the communication can start.<\/div>\n
Any Facebook application might ask for different permissions,<\/div>\n
For example:\u00a0<\/b><\/span><\/p>\n
<\/div>\n
Diamond Dash,Texas Holdem Poker only have permission to basic information and post on user’s wall,<\/div>\n
<\/div>\n
\"\"<\/a><\/div>\n
<\/div>\n
<\/div>\n
\n

I found a way in to get a full permissions (read inbox, outbox, manage pages, manage ads, read private photos, videos,etc..) over the victim account even without any installed apps on the victim’s account,<\/p>\n<\/div>\n

Another advantage in the flaw I found is that there is no “Expired date” of the Token like there would be on any other application usage, In my attack the token never expires unless the victim change his password :),<\/p>\n<\/div>\n<\/blockquote>\n

Related Posts<\/H3>