Nir Goldshlager just saved your identity. One of the world’s top white hat security researchers, Goldshlager this week helped Skype and Dropbox fix a critical security flaw that could have let hackers take control of their users’ Facebook accounts. Tomorrow Goldshlager will detail how he found the exploit, but he gave TechCrunch the early heads up. Here’s how hackers exploit the hole.
First the good news. Since it was reported responsibly, it appears that no one fell victim to this flaw, known as an “open redirect vulnerability.” The issue essentially occurs when a website doesn’t validate the URL where it sends a user and their access tokens. Normally sites verify that the URLs they send you to are either owned by them or one of their trusted partners. But if they don’t, a hacker who knows someone’s user ID and that they’ve granted permissions to a vulnerable site could visit http://www.MySiteIsVulnerable.com?UserID55555redirect=www.MaliciousSite.com and steal that person’s access tokens, allowing them to take actions as if they were the hacked user. Naughty identity thieves.
In this case, both metrics.skype.com and Dropbox.com were failing to validate redirects, leaving them vulnerable. To be exploited, a hacker would first need to know someone who had connected their Facebook accounts to one of these sites, say metrics.skype.com. Then they could find that person’s Facebook User ID through the Graph API explorer. If the hacker then punched in the right metrics.skype.com… URL with the user ID attached, followed by a redirect to a malicious site they control, Skype would deliver the victim’s Facebook access token. This would let the hacker do anything the user had granted Skype the ability to do, such as post to their wall, pull their personal information, and more. There is no faster way to get unfriended than by spewing spam.
Goldshlager discovered this flaw, but rather than exploit it himself or publish it for other hackers to use, he responsibly reported it to Skype, Dropbox and Facebook, who’ve all confirmed it’s now fixed. In Skype’s case, the issue was actually with one of its partners that builds software for the app, which they fixed together. Though the bug wasn’t Facebook’s fault, the company tells me:
We applaud the security researcher who brought this issue to the attention of the affected organizations and for responsibly reporting the bug to our White Hat Program. These bugs were triggered from open redirect vulnerabilities in domains that were authorized for OAuth. While not a Facebook bug, we have and will continue to work with our OAuth partners to prevent this exploit. Due to the responsible reporting of this issue to Facebook and the affected companies, we have no evidence that users were impacted by this issue.
The whole situation is nothing new for the Israeli security researcher. Goldshlager has been on the top of Facebook’s White Hat ‘Thank You” list for the last two years because he’s reported more bugs than anyone else. He also just started a White Hat security company called Breaksec that helps clients find bugs before crooks do.
Oh, and the guy keeping you safe on the web also has an awesome name. So this drink of spicy cinnamon Schnapps is on us, Mr. Goldshlager. Keep hacking for good.
[Image Credit: elhombredenegro / Flickr]