14 DAY TRIAL // Bitdefender has identified a flaw in Facebook's account registration process which indirectly led to situations where attackers could take over user profiles on sites where Facebook Social Login feature was enabled.
The vulnerability could be used if an attacker discovered that a victim had an email address which he used on a regular basis, but had not registered on Facebook to create an account.
The attack takeover procedure was simple
The attacker could take it upon himself to create a Facebook profile with the victim's email address, and when Facebook would ask him to confirm his identity, he could add his own email to the account, as a secondary email address.
The attacker could then switch the primary email (victim's address) with the secondary email (his own address), and tell Facebook he's ready to confirm the account.
Facebook would then send the confirmation email, the attacker would verify the profile and, quickly after, switch his email address with the victim's email address as the account's primary identity.
Facebook would consider the account confirmed, even if only the secondary email address was actually validated, and not the first (the victim's).
Vulnerability could have created big problems for victims
While this just seems to be a simple flaw in Facebook's registration process, in reality, it is not. Because of Facebook's Social Login feature that allows users to register and log in on other sites, registering a Facebook account in someone else's email address is dangerous.
In this particular scenario, if a victim had an account on e-commerce stores or business management portals where the Facebook Social Login feature was enabled, an attacker could have automatically logged in using the rogue-registered profile and take over a victim's identity.
Neither Facebook nor the targeted website would be able to spot anything wrong since everything looked normal on their side. Facebook would see a validated user logging in on another site, and the target site would see one of its registered users utilizing a Facebook profile to log in without entering his password, with the email addresses for both accounts matching.
Bitdefender's staff has informed Facebook, whose staff fixed this issue. "The identity provider – in this case, Facebook – should wait until the email address has been verified," Ionut Cernica says, the Bitdefender specialist that discovered the issue.
