Facebook exposes ‘god mode’ token miscreants could use • The Register


Update Brave said this week that it is blocking the installation of a popular Chrome extension called LOC because it exposes users’ Facebook data to potential theft.

“If a user is already logged into Facebook, installing this extension will automatically grant a third-party server access to some of the user’s Facebook data,” explained François Marier, security engineer at Brave, in an article about GitHub issues. “The API used by the extension does not require Facebook to display an authorization prompt to the user before the app’s access token is issued.”

However, the extension’s developer, Loc Mai, said The register that its extension does not collect information – as stated in the extension’s privacy policy. The extension currently has around 700,000 users.

“The extension does not collect user data unless the user becomes a Premium user, and the only thing it collects is the UID – which is unique for each person,” Mai explained.

Mai said the extension stores the token locally, under localStorage.touch. which represent a security risk but is not indicative of wrongdoing. The LOC continues to be available through the Chrome Web Store.

However, a malicious developer could harvest Facebook data using the same access method because Facebook exposes a plain-text token that grants what the security researcher Zach Edwards described as “god mode”.

God mode

In an email to The register, Mai explained that Facebook’s Graph API requires a user’s access token to work. To get this token — so extension users can automate processing their own Facebook data, like downloading their posts — the extension sends a GET request to Creator Studio for Facebook. The request returns an extension access token for the logged in Facebook user, allowing further programmatic interactions with Facebook data.

Mai explained this in response to Brave’s GitHub post. “The access token is in the HTML of this page. Any Facebook user can simply access view-source:https://business.facebook.com/creatorstudio/home and display the access token here.”

Edwards said The register“Facebook faced an almost identical scandal in 2018 when 50 million Facebook accounts were deleted due to a symbolic exhibition.” And yet, Facebook seems to view this data distribution token as a feature, not a bug.

May provided The register with a copy of the April 9, 2019 email he used to report a token disclosure issue to a different endpoint that allowed the same type of data access. The response from Facebook Security was: “In this case, the issue you described is actually only a planned feature and therefore not eligible for a bounty.”

“Facebook doesn’t seem to have learned the lesson of 2018 and still exposes a plain-text god mode token for each user, on a niche page that specific developers know about,” Edwards said. “Facebook calls it a feature, but when the first extension developer scavenges and steals data from countless pages and users, will that be when Facebook finally admits it’s a bug, just like the problems of 2018?”

The register asked Facebook about the situation and whether, as Edwards suggests, the company intended to revoke all tokens obtained from its Creator Studio endpoint. We haven’t had a response.

Mai said he made the extension to help friends who were considering quitting Facebook. The LOC extension, which has more than 700,000 users, allows users to upload their Facebook conversations, change their privacy settings, find and delete friends and other functions.

Mai said he had been banned from Facebook and added that the company contacted him to accuse him of transferring or sharing user data without consent – “I’ve never done that” – and d buy, sell or trade site privileges such as likes, shares. , and other aspects of the engagement tracked by Facebook and Instagram — which he also denied.

However, he said, he would consider removing his extension “if Facebook were more reasonable with my Facebook account and my Instagram account and provided me with better reasons why my extension is harmful to others.”

The register asked Brave if he intended to reconsider his LOC ban based on Mai’s explanation of what was going on. A Brave spokesperson said: “We are working with the expansion author on some changes to the expansion so that it can be unlocked in Brave.”.

Inappropriate extensions remain a problem

Edwards said Facebook’s terms of service fall short here because even though the company insists people use its application platformit does not prevent users from using browser extensions.

And this gap that exposes user data is compounded by how Chrome extensions work today. As Edwards describes, Chrome extensions can request permissions on one domain you control and another you don’t control, then open a browser tab upon installation, creating an opportunity to grab data tokens. APIs and session IDs for different types of applications.

“Facebook happens to have a legacy web permission hard-coded into a page of their ‘creation studio’ that they built, which allows someone who controls one of these extensions to scrape hundreds of thousands of Facebook tokens, never signing up for the Facebook Developer Program and using the correct/native Facebook app/dev sharing features,” Edwards explained.

“Basically, Facebook can’t ‘ban’ an extension, even if Facebook knows the extension shouldn’t be allowed to ask for permissions on facebook.com and its own team thinks it’s malicious,” he said. -he adds.

“And currently, Google does not want to acknowledge that the [Chrome App Store] is overrun with developers asking for permissions on two domains, one they control and one they don’t. This is the practice that just needs to stop as soon as possible or be publicly acknowledged by Google so they can explain future fixes to avoid these issues.”

Edwards said between the vast scope of Chrome extension permissions and Facebook’s baffling decision to keep this “god-mode” token embedded on a page for years after being alerted to the issue, it’s a perfect storm. for data theft. ®

Updated to add

After this story was published, a Meta spokesperson emailed to say, “We are reviewing these allegations and will take appropriate action to comply with our policies and protect individuals’ information.”

Previous Suneel Gupta Announced as Keynote Speaker for ADSO Summit 2022
Next Vietnamese Foreign Minister meets ROK Speaker of Parliament, Deputy Prime Minister