October 7, 2016

Facebook Messenger based OAuth Virus

Stop Facebook spam messages.

Recently, I have been getting a lot of messages of people sharing a video link with my own profile picture as a thumbnail. I am sure many of you may have gotten the link too and some of you may have clicked it out of curiosity.

To be honest, it cannot be termed as a virus. I just named the title to be generic and on the same technical grounds as all of you are. So what is it?

It's an OAuth based issue which is being misused drastically. Let's get to the basics first so that you can all understand what you are dealing with.

What is OAuth?

Open Authorization (OAuth) is an open standard authentication mechanism, commonly used as a way for Internet users to log in to third-party websites using their accounts at Google, Facebook, Microsoft, Twitter, etc. but without exposing their password.

You must have seen "Login with Facebook" button on most websites using which you can log into other applications using Facebook's authentication, it makes our life easier.

How OAuth works?

I don't want to move off topic here. Basically, OAuth has multiple parameters, one of which is the "state" parameter. A state parameter is used to generate a token that in simple words confirm that the request generated from you and not someone else. So if there is a Facebook app without the "state" parameter, what are the consequences?

You guessed it right, it can be misused into forging requests. So what you do when you click the video link in your chatbox from someone else is this very flaw in the Facebook app and you are unknowingly allowing someone else to post on your behalf. Thus forging requests is what we call it.

How to get rid of OAuth-based spam messages?

  • Go to your Facebook account’s settings.
  • Then go to App settings tab.
  • You’ll see Apps, Websites, and Plugins authorized to use your Facebook's account.
  • Remove the apps you don't recognize or don't use anymore.
  • Delete all of the previous spam messages.
  • Then go to Security tab in your Facebook account's settings and end the activity of all other active sessions.
  • Finally, change your password.

I hope this may help you. Stay safe, Do not click tempting malicious links and you will be just fine.

Image credits: tlists.com

About Author:
is a professional ethical hacker from Pakistan. He has been listed among top 3 bug hunters of the world. He tweets @Shahmeer_Amir.
Share this story:

0 comments:

Post a Comment