Why Was Facebook Vulnerable to an Authentication Exploit?

Even the largest companies in the world are susceptible to API vulnerabilities. How modern security defenses fail — and how to fix them.

Why Was Facebook Vulnerable to an Authentication Exploit?
Why Was Facebook Vulnerable to an Authentication Exploit?
breach analysis
part 
 in a 
 part series
Inon Shkedy

Inon Shkedy

What Happened:

As part of a bug bounty program, the AppSecure cybersecurity research team found a vulnerability on the authentication mechanism of Facebook. It gave them the ability to potentially gain full control of the social media giant’s more than 1 billion users. The team won a $15,000 bounty for its discovery.

This vulnerability was found on a niche API, which reminds us that in many cases the most interesting bugs don’t exist on main APIs but on secondary ones that have fewer protection mechanisms in place.

Anand Prakash, CEO of AppSecure and who was credited with finding the bug, explained what he found: “This gave me full access to other user accounts by setting a new password. I was able to view messages, their credit/debit cards stored under their payment section, personal photos, and other private information.”

Even though the vulnerability was discovered in 2016, similar weaknesses have been discovered — and in many cases exploited — ever since. Here is a closer look at the Facebook case and lessons to be learned in modern application development.

Technical Details

The vulnerability exploited the password recovery mechanism on Facebook. The steps of the process were:

  1. The user starts the “forgot password” process by using their email address.
  2. Facebook sends a text message with a temporary 6-digit secret token to the user.
  3. The user enters the received temporary code, and the browser sends an API call to “POST facebook.com/recover/as/code/” with the secret token.

Facebook had implemented an anti-brute force mechanism on this API that blocked the user after 10 failed attempts. However, during their research, the AppSecure team found that the same API endpoint existed on different API hosts, under “beta.facebook.com” and “mbasic.beta.facebook.com.” These API hosts didn’t implement the anti-brute force mechanism, allowing the attacker to easily iterate through the secret token and reset the victim’s password.

Why Current Security Solutions Can’t Detect It

Keeping track of your APIs it’s not an easy task. Modern organizations might have dozens or even hundreds of API hosts for different environments, regions, or versions. Each API host can expose multiple API endpoints that are related to authentication processes including login, forgot password, and one-time login link. Many security solutions in the market focus on protecting your main APIs and don’t have enough visibility into the less common or less used APIs (such as Facebook’s beta API in the example above). Sophisticated attackers choose to target those niche APIs.

How Traceable Solves the Problem

Traceable AI monitors all APIs including the different environments, versions, and regions. For each API host, we automatically and manually detect the authentication endpoints that your APIs expose (including login, forgot password, etc).

This granular understanding of the API structure allows us to set very strict protection for your most sensitive assets.

Interested to learn more?

Watch our recorded demo and see Traceable Defense AI in action!

Inon Shkedy

Recommended reads.