Security News > 2022 > February > Facebook exposes 'god mode' token that could siphon data

Facebook exposes 'god mode' token that could siphon data
2022-02-12 00:28

A malicious developer could harvest Facebook data using the same access method, because Facebook is exposing a plain-text token that grants what security researcher Zach Edwards describes as "God mode."

The request returns an access token to the extension for the logged-in Facebook user, allowing further programmatic interactions with Facebook data.

Edwards told The Register, "Facebook faced nearly an identical scandal in 2018 when 50 million Facebook accounts were scraped due to a token exposure." And yet Facebook appears to consider this data dispensing token to be a feature, not a bug.

"Facebook seems to have not learned their lesson from 2018 and is still exposing a plain text god mode token for every user, on a niche page that specific developers know about," said Edwards.

"Facebook just happens to have a legacy web permission hardcoded into a page on their 'creator studio' they built, which makes it possible for someone who controls one of these extensions to scrape hundreds of thousands of Facebook tokens, without ever signing up for the Facebook developer program and using the correct/native Facebook app/dev sharing features," explained Edwards.

"Basically, Facebook can't 'ban' an extension, even if Facebook knows the extension should not be allowed to request permissions on facebook.com and their own team thinks it's malicious," he added.


News URL

https://go.theregister.com/feed/www.theregister.com/2022/02/12/facebook_god_mode/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Facebook 29 0 11 46 54 111