Mohit Bagga and Tajinder Pal Singh Chouhan of CodeBibber recently stumbled upon a security breach in Facebook login protocol that websites are using for authenticating the user, which can expose your data on multiple platforms.
In simple words, whenever you choose the “Login through Facebook” option on any website or mobile app, you expose every other account where you logged in through Facebook.
“We were hacking around the Facebook login that gives us the access token. We wondered if we could post other login requests to Zomato and Snapdeal as to see if they accept the token because it is a valid token for Facebook. We tried and were successfully logged in,” said Mohit Bagga, co-founder and CTO, CodeBibber.
He added that they did several checks on various platforms before confirming this claim.
“We have a toolbox that gives you total control over headers and parameters that you want to pass through the server and we use mitm-proxy (man in the middle proxy or a Java SSL proxy) for voice passing. So we were seeing what kind of requests were going from an app. We just replicated it through the access token given by Facebook and got logged in from that platform,” said Mohit.
Snapdeal, Zomato and Foodpanda did not comment on this.
He further added that by this access token one replicates oneself as the user and can access all personal details of that user.
“We tested out this security breach on our new venture TOTUM app’s test run and to our amazement, by using a single access token that we received from Facebook, we were able to access the entire account history of that user on a series of big players like Zomato, Foodpanda, Uber and Snapdeal,” he added.
Facebook said that this is neither a breach nor vulnerability in login.
“This appears to be an issue we discussed in detail at F8 2015 and is not a vulnerability in Facebook Login, but rather improper implementation of Login by certain apps. To avoid this issue, developers should ensure their apps are properly validating access tokens and securing authentication flows. We provide resources and tools to help developers use Facebook Login securely in their apps,” Facebook told BI.
Mohit asserted the same, that it is a security breach at the end of the players like Zomato, Ola, Snapdeal and not at Facebook. Facebook has given the guidelines but the players are not using them. If one posts a login request to Zomato with the access token, Zomato do not even have the basic check to detect that it is coming from another app.
“Facebook has the option so that we can privately exchange the data between the clients in the server. Facebook has the option which gives an encrypted access ID/token. The players are exposing users’ data to everyone,” said Mohit stating the solution to protect the users from such security breach.
Expressing his doubts, he also added that all said and done, Facebook do have the upper edge here. If Facebook gains the token, it can easily scrap all data through all platforms anytime they want.
They might even be doing it; one cannot be too sure in a world where Snoopgate and Cyber security exists side by side.
The only good news is Flipkart is still secured. They tried to invade into Flipkart but failed. Flipkart’s second level security step where you need to give the users’ contact number and password keeps the user’s profile safe from snooping.
Here is how it is done:
Let’s say you login to app X via Facebook. X will receive an access token from Facebook and will send it to X’s server and save it. But now X can use this same access token to login to any and every other platform impersonating you and access your data ranging from your recent orders on Zomato or your purchase history from Snapdeal to getting access to your private messages and the list goes on.