14 DAY TRIAL // An old API (application programming interface) that was missed by Facebook allowed a potential attacker to take control over users' accounts.
The flaw, consisting in a mis-configured endpoint, would permit legacy REST API to make calls on behalf of any Facebook user, no authentication being necessary, only the user ID.
Security researcher Stephen Sclafani discovered that using a still active REST API, that is the predecessor of Graph API, he could get unauthorized access to a Facebook account and not only view private messages, but also check private notes, find the primary email address, post links and messages, interact with the victim’s friends or delete comments.
To put it simply, he could carry out actions that all cybercriminals wish they could, in a fashion that did not require any social engineering.
Graph API is designed to allow third-party apps to read and write to Facebook. It is used for querying data, posting new content, uploading photos or any other task an app may need in order to facilitate the user’s connection to the social network account.
After Facebook switched to the new API, they removed documentation for REST API, but did not disable the endpoint that receives calls from it.
Sclafani managed to find the necessary documentation online. “The REST API was the predecessor of Facebook’s current Graph API. All of the documentation for the REST API has been removed from Facebook’s website but I was able to piece together some of it from the Wayback Machine. The REST API consists of methods that can be called by both Web applications (websites) and Desktop applications (JavaScript, mobile, and desktop applications),” he said in a blog post.
During a penetration test, he discovered a request that made an API call and was directed to a non-standard endpoint. Through online searches, the security researcher managed to piece the clues together and learn that the server was using Facebook’s outdated REST API, which consisted of methods that can be called by websites and applications with a GET or POST request.
Since the API was still used by some apps, Sclafani managed to apply changes to a test account without prior authentication.
It is worth noting that Facebook issued a temporary fix for the matter in little under three hours after Sclafani sent them the initial disclosure report, on April 23. The researcher was awarded a bounty of $20,000 / €14,500 through Facebook’s Bug Bounty Program.