Bitdefender has identified a flaw in the Facebook account registration process, which indirectly allows attackers to access user profiles on webpages that have the Facebok Social Login feature enabled.
Η vulnerability could be used if an attacker discovered that the victim has an email address post officewhich he uses on a regular basis, but he has not registered with Facebook to create an account.
The attacker could create a Facebok profile with the victim's e-mail address, and when Facebok asks him to confirm his identity, the attacker adds his own email account as a secondary e-mail address.
The attacker could then use the primary e-mail address (the victim's address) with the secondary e-mail address (its own address) to get Facebook to confirm the account.
Facebook will "see" that the account has been confirmed, even if only the secondary email address was used and not the first one (of the victim).
Although it appears to be a simple flaw in Facebok's registration process, it is not. Due to Facebook's Social Login feature that allows users to sign up and connect to other sites, using their Facebook account with the email address owned by someone else is dangerous.
Imagine if the victim had an account in online stores or business management portals, where the mode Facebook Social Login is enabled. The attacker could log in automatically using the victim's profile.
Bitdefender researchers have updated Facebook for vulnerability.