Hackers may have compromised Facebook accounts through Oculus

Facebook's integration with Oculus virtual reality headsets could have opened the door for malicious attackers to hijack accounts by exploiting the latter if the social media giant had not fixed the vulnerabilities.

Oculus, best known for its Oculus Rift virtual reality (VR) headsets, was founded in 2012. In March 2014, Facebook announced it would acquire Oculus VR, and the deal was completed in July 2014. In August 2014, Facebook included Oculus Rift in its bug bounty program for "white hat" hackers, offering money to researchers for reporting vulnerabilities. Since then, several vulnerabilities have been found in Oculus services, including a number of flaws that earned one researcher 1,400,000.

In October of last year, Josip Franjkovic, A web security consultant decided to examine the Oculus application for Windows., which allows users to connect their Facebook accounts for a more social experience through the use of the native Windows Oculus app and browsers.

In his research, Franjkovic demonstrated how an attacker could hijack Facebook accounts using GraphQL queries specially designed to connect the victim's Facebook account to the attacker's Oculus account and obtain the access_token The attacker also has access to the victim's GraphQL endpoint. Using specially crafted GraphQL queries, the attacker can take control of the victim's Facebook account, change the phone number, and then reset the account password.

Franjkovic reported the vulnerability to Facebook on October 24 under the company's bug bounty program, for which a temporary fix was released the same day involving disabling the spot final facebook_login_sso.In addition, Facebook released a permanent patch on October 30.

However, Franjkovic discovered a CSRF (cross-site request forgery) login vulnerability a few weeks later that could have been used to exploit the Facebook patch by redirecting the victim to an Oculus URL of the attacker's choosing.

Franjkovic reported the second error on Facebook on November 18, for which a temporary fix was made the same day by disabling the endpoint again. facebook_login_sso.Three weeks later, the company released a full patch.

Although Franjkovic did not disclose the amount of the rewards he received from Facebook for discovering the vulnerabilities, the social media giant revealed last week that it ended up paying $1,400,880,000 in bug bounties to security researchers in 2017. News written by Noé Cruz, founder and creator of the blog 1000 computer tips.