Facebook is the largest social network, where seems to be every internet user has its account, time-to-time world class hackers, security researchers find vulnerabilities, loop holes in the social network, some inform Facebook security team to get paid and some sell that online, but a vulnerability found in Facebook on 5/9/2013 still not patched and working right now.
This time the same method used by a penetration tester from Egypt named “Ahmed Elsobky,” who used this to hack a facebook account which is a man-in-the-middle-attack.
What is the Vulnerability?
The Loop hole is hijacking access token, he demonstrated the complete method on his personal blog:
Well, we can’t demonstrate here the full hack, so you have to visit Ahmed Elsobky personal blog {HERE,} but we will explain you how Ahmed able to hack a facebook account.
The main stuff is here- apps you use, as they also use your access tokens to post on your behalf, and remember not every app needs that information, you have to be very careful before you click allow to post on your behalf function, below image showing when apps ask to allow them to use your account and post, message, tag, share on your behalf:
If you click allow, so these apps provided temporary and secure access to Facebook APIs, and we know that most of the users use apps like (like Candy Crush Saga, Lexulous Word Game,) so beware of the fake apps also.
More about Access Tokens:
Do you know>>if anyone knows your access token, so the other person (who knows access token) can use your account until that token expires.
How you can protect yourself from this Vulnerability:
You can be on safe side by using https on your browser while using a facebook app, so for that you can use “HTTPS Everywhere” Browser Extension for automated security, which will protect your personal information while sending or recieving.