Facebook OAuth is used to communicate between Applications & Facebook users, to grant additional permissions to your favorite apps. To make this possible, users have to ‘allow or accept’ the application request so that app can access your account information with required permissions.
As a normal Facebook user we always think that it is better than entering your Facebook credentials, we can just allow specific permissions to an app in order to make it work with your account.
Today whitehat Hacker ‘Nir Goldshlager’ reported ‘The Hacker News’ that he discovered a very critical vulnerability in Facebook’s OAuth system, that allowed him to get full control over any Facebook account easily even without ‘allow or accept’ options.
Where app_id is the application ID and next parameter must contains the URL of the respective app domain only. For example app_id=2389801228 belongs to ‘Texas Holdem Poker‘ app, So the ‘next‘ parameter will allow only zynga.com domain (i.e next=http://zynga.com), otherwise Facebook will block that action.
This finding was enough to redirect user to any file or folder at Facebook domain.
So, to bypass this, he discovered that there are many built-in Facebook applications i.e ‘Facebook Messenger app‘ that can access full permissions (read inbox, outbox, manage pages, manage ads,access to private photos, videos, etc.) from the victim’s account without user interaction i.e no need to click ‘allow’ button.
As a responsible bug hunter, reported this flaw to Facebook security team few months back and now it is fixed. He was rewarded many times in bug bounty program. In January he also reported a Employees Secure Files Transfer service
Note: This tutorial is only for Educational Purposes, I did not take any responsibility of any misuse, you will be solely responsible for any misuse that you do. Hacking email accounts is criminal activity and is punishable under cyber crime and you may get upto 40 years of imprisonment, if got caught in doing so.