Facebook tackles developer databases leaking at least one million user records

The external databases were used by Android app developers who harvested and stored user data.
Written by Charlie Osborne, Contributing Writer

Facebook has tackled two serious security issues disclosed through the social networking giant's bug bounty programs including an external data leak potentially impacting over one million users.

In light of the Cambridge Analytica scandal, in April 2018, the company expanded its bug bounty scope to include the misuse of user data by developers.

The program, known as the Data Abuse Bounty scheme, received a report from Nightwatch Security researcher Yakov Shafranovich which detailed how a third-party Android application with Facebook API access was copying and storing data outside of the social network in an insecure manner.

Disclosed this week, the security failure was first discovered in September 2018. 

The Android application, available in the Google Play store, described itself as a way to provide "additional functionality to Facebook users that are not available through the platform," and has been downloaded over one million times. 

TechRepublic: How to create a hidden admin account in macOS

While it is not known how many users have been impacted, it is known that the application accessed user data through the Facebook API and copied this information to a Firebase database and API server without any authentication or HTTPS protections in place.

"This would allow an attacker to mass-download the user data accumulated by the application from its users," Nightwatch Security says. "We do not know for sure how many users have been impacted or exposed, but one of the databases accessed contained over 1,000,000 records."

The Facebook app associated with the insecure software has been removed but the Android app is still available.

The data leak was reported through the Facebook Data Abuse Bounty program in September, leading to the insecure storage systems becoming protected in November. Under the rules of the program a bug bounty payout was issued, and while the figure has not been disclosed, Facebook offers payouts of up to $40,000 for valid reports. 

This is not the only security issue Facebook has tackled in recent months. Earlier this week, a bug hunter who goes under the name Samm0uda disclosed a CSRF protection bypass vulnerability uncovered in the main Facebook website domain.

"This bug could have allowed malicious users to send requests with CSRF tokens to arbitrary endpoints on Facebook which could lead to a takeover of victims accounts," the researcher said. "In order for this attack to be effective, an attacker would have to trick the target into clicking on a link."

The vulnerable endpoint was facebook.com/comet/dialog_DONOTUSE/?url=XXXX, in which XXXX is where the POST request would be made. A CSRF token, fb_dtsg, is automatically added to the request body, and if a user visits the URL by way of a crafted, malicious app, this permits an attacker to utilize tokens to hijack account processes.

"This is possible because of a vulnerable endpoint which takes another given Facebook endpoint selected by the attacker along with the parameters and makes a POST request to that endpoint after adding the fb_dtsg parameter," Samm0uda added. "Also this endpoint is located under the main domain www.facebook.com which makes it easier for the attacker to trick his victims to visit the URL."

While testing the security flaw, the researcher found that he was able to publish posts on timelines, delete profile pictures, and trick users into deleting their accounts -- on the proviso that the user entered their password at the deletion prompt.

In order to fully hijack an account, it would be necessary for a new email address or phone number to be added to the target account. However, this would require a victim to visit two separate URLs.

The bug bounty hunter needed to bypass these protections by finding endpoints which have the "next" parameter in play so an account takeover could be made with a single click.

See also: Opening this image file grants hackers access to your Android phone

Samm0uda created several scripts hosted externally which, once the malicious app is authorized as the user, were able to pull user access tokens and bypass Facebook redirection protections to forcefully add a new email to the target account -- potentially allowing an attacker to reset a password and take over a Facebook profile.   

Account hijacking is deemed a serious issue for Facebook and users alike. The tech giant received a report of the security flaw on 26 January and was fixed by 31 January. Samm0uda received a bug bounty reward of $25,000 for his efforts.

CNET: Facebook, FTC reportedly negotiating massive fine to settle privacy issues

How to discover and destroy spyware on your smartphone (in pictures)

Previous and related coverage

Editorial standards