Facebook Privacy Flaw Let A Hacker Access Any User Account

By  | 

Is it true that a hacker could have accessed every single Facebook account due to a privacy flaw? Actually, yes. And he wrote about how he did it on his blog.

Gizmodo reported Monday that web applications security specialist Nir Goldshlager posted details of how he was able to gain access to any Facebook account he wanted because of a flaw in Facebook's OAuth -- a method of authentication used by the social network.

Goldshlager explained how he was able to exploit Facebook privacy flaw and "steal unique access tokens" that give him access to a person's full Facebook account on his blog. The hacker says the only way users can protect themselves from this type of hack would be to change their passwords.

Luckily, Goldshlager was not looking to exploit Facebook users and reported the security flaw to the social network so the loophole could be fixed.

Facebook confirmed Goldshlager's claims and says it has fixed the privacy flaw. The social network released this statement to CBS News via email:

We applaud the security researcher who brought this issue to our attention and for responsibly reporting the bug to our White Hat Program. We worked with Mr. Goldshlager to make sure we understood the full scope of the vulnerability, which allowed us to fix it without any evidence that this bug was exploited in the wild. Due to the responsible reporting of this issue to Facebook, we have no evidence that users were impacted by this bug. We have provided a bounty to the researcher to thank them for their contribution to Facebook Security.