Bitdefender has identified a flaw in the procedure Facebook account registration, which indirectly allows attackers to gain access to user profiles on websites that have the Facebook Social Login feature enabled.
Η vulnerability θα μπορούσε να χρησιμοποιηθεί αν ένας εισβολέας ανακάλυπτε ότι το θύμα έχει μια διεύθυνση ηλεκτρονικού ταχυδρομείου την οποία χρησιμοποιεί σε τακτική βάση, αλλά δεν έχει καταχωρηθεί στο Facebook για να δημιουργήσει ένα account.
The attacker could create a Facebok profile with the victim's e-mail address, and when Facebok asks him to confirm his identity, the attacker adds his own email account as a secondary e-mail address.
The attacker could then use the primary e-mail address (the victim's address) with the secondary e-mail address (its own address) to get Facebook to confirm the account.
Facebook will "see" that the account has been confirmed, even if only the secondary email address was used and not the first one (of the victim).
Although it appears to be a simple flaw in Facebok's registration process, it is not. Due to Facebook's Social Login feature that allows users to sign up and connect to other sites, using their Facebook account with the email address owned by someone else is dangerous.
Imagine if the victim had an electronic account stores or business management portals, where the Facebook Social Login feature is enabled. The attacker could log in automatically using the victim's profile.
Bitdefender researchers have updated Facebook for vulnerability.