Pre-Access to Victim’s Account via Facebook Signup

Email not verified
https://example.com/auth2/access_token=Eposkdskdpo.........
Request Method: POST
{"email":"example@example.com","name":"hey","id":"fb-id"}
the email is returned only if verified
{"id":"facebookidnumber","name":"Myname"}
{"id":"facebookidnumber","name":"Myname","email":"victimemail@victim.com"}
Account already exists
  1. As attacker go on Facebook register an account using the phone number
  2. Now on an application where you see “Sign-In with Facebook” try to create an account
  3. After account creation verify by changing the name or profile picture then login with email by password reset and see same settings
  4. Now again login via Facebook to see that you still have access to that account
1. Victim should not have created a normal and facebook account and sign-in before
2. If Application alerts users about sign-in via facebook and allows social sign-in remove then impact goes very down
3. Most of applications when facing no-email would redirect to home page with response {"statusCode":400,"error":"invalid_grant","message":"Bad Request","error_description":"Bad credentials"}

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store