Facebook Security Flaw Lets Developers Access Anyone’s Account

An internet application and internet security specialist recently discovered a Facebook security flaw that allowed developers to access anyone’s personal Facebook account by using application permissions.

Application permissions (or just app permissions) are used by developers to access user data that is needed to run applications. If you’re an avid Facebook user, you’ve probably granted access privileges while installing new apps.

Nir Goldshlager, the man responsible for the discovery, said that the flaw gave him full permission to access account data including inbox, outbox, page management, advertisement management, photos, and videos.

He told Business Insider that “By exploiting this flaw I could steal unique access tokens that provides me full control over any Facebook account.”

Even more disturbing, Goldshlager said that the flaw could bypass two-step verification.

The Facebook security flaw didn’t only put Facebook users which had installed third-party applications at risk though, because the flaw allowed access through Facebook’s built-in apps it put everyone on the network at risk.

But no worries, according to CNET the internet security specialist quickly reported the issue to Facebook and they have since corrected the problem.

Facebook had this to say about the security flaw, “We applaud the security researcher who brought this issue to our attention and for responsibly reporting the bug to our White Hat Program. We worked with the team to make sure we understood the full scope of the vulnerability, which allowed us to fix it without any evidence that this bug was exploited in the wild. Due to the responsible reporting of this issue to Facebook, we have no evidence that users were impacted by this bug. We have provided a bounty to the researcher to thank them for their contribution to Facebook Security.”

Mighty nice of you Facebook.

Should Facebook users be concerned about other security vulnerabilities? Can we very truly be 100 percent protected?