Glitch is constantly monitored, abusive app activity leads to Facebook request to app stores to remove it

Nov 21, 2014 18:00 GMT  ·  By

A security flaw Facebook rewarded through the Bug Bounty program when reported in 2013 still works for some user profiles and allows posting in the timeline by using access tokens in mobile apps, even if no permission for this action exists.

After receiving a $2,000 / €1,600 reward for disclosing the bug, Vivek Bansal found at the beginning of November that the proof-of-concept code he sent to Facebook last year to demonstrate the issue worked as if Facebook took no corrective action.

For reporting the problem in a responsible way, Bansal was also included in the Facebook Hall of Fame for 2014.

The bug was again reported to the company, after finding out that it was still active, but the researcher received no answer, until recently.

New share model mitigates the risk

However, it was not the response he expected, as the security team from Facebook replied that they were aware that the abuse was still possible in a number of cases. Instead of implementing a patch, the developers created native Share Dialog that allows users to share content from third-party mobile apps without having to disclose sensitive information, such as log-in credentials, with the app.

This is done by sending to the native Facebook mobile app the content the user wants to share, which posts it on the social network. All this is done in the background and the switch is not visible to the user.

Different apps are used to share on Facebook

However, there are still users who do not share this way, because they rely on apps that do not integrate the new content share model, leaving the door open for spamming the timeline, as Bansal demonstrated in a November 4 video, published on YouTube (see below).

“This system is widely used, but there are a few cases where people use other ways to share. When fewer developers host these dialogs themselves, the situation will improve,” Facebook security team told Bansal in a recent email.

“For now, we’ve implemented a number of systems that help us prevent, detect, and respond to any unwanted posting to people’s Timelines. We use automation to catch abuse, and if we were to find any, we would remove the app and the post(s) immediately and contact the app stores to remove the app,” they added.

In a post on LinkedIn, Bansal explains that, by the time Facebook’s control system identifies the abuse, the reputation of the affected user would already have been affected.

Proof-of-concept video: