Security researcher Nir Goldshlager has identified yet another Facebook OAuth vulnerability that can be exploited to hack any account.In the attack method he presented back in February, the expert used the app_id of the Facebook Messenger to gain full access to accounts.
The social media company has addressed the issue by using regex protection, but Goldshlager has discovered another method to exploit the Facebook Messenger app_id.
In addition to this vulnerability, he has also found another way to bypass the OAuth regex protection, but the second attack method only works against Firefox users.
Both issues have been fixed by Facebook shortly after being reported.
Complete technical details of the vulnerability and proof-of-concepts for each of the issues are available on Nir Goldshlager’s blog.