Although Facebook has solved this problem, Nir Goldshlager, a specialist in web application security research that these types of defects professionally, found more bugs that need fixing app authorization, according to his blog. Offers are authorizations that developers use to access user data needed to run their applications. Give their users access permission when installing applications.
"I found a couple more defects OAuth in Facebook, just waiting for a patch to write about it," Goldshlager wrote in his blog, where he detailed his findings.
Facebook would not comment on what other defects may be found Goldshlager but said the original bug, it was not detected leveraged by developers of Facebook real. The company did not say when Goldshlager reported the fault.
"We commend the security researcher who brought this matter to our attention and responsibly a bug in our program White Hat. We worked with the team to ensure that we understood the scope of the vulnerability, which allowed us to solve this problem without any proof that this bug has been exploited in the wild, "a Facebook representative wrote in an e-mail to CNET. "Because of the responsible dissemination of this issue to Facebook, we have no evidence that users were affected by this bug. We have provided a bonus for the researcher to thank them for their contribution to Facebook security." Goldschlager found the bug allowed him to steal the access tokens and get full access to profile as a developer. This included messages, management, managing pages, posting private photos and videos. This applies to profiles that have not install additional applications because it could not pass through built-in Facebook applications, as a messenger, as well. Chips for third-party applications has not expired, unless the victim has changed his password, but the app messenger Facebook messenger chips never expired, he wrote.
