Hackers Could Have Exploited Facebook

Facebook’s integration with the Oculus virtual reality headset could have opened doors for malicious attackers to hijack accounts by exploiting the latter had the social networking giant not patched the vulnerabilities.

Oculus, known best for their Oculus Rift virtual reality (VR) headset, was founded in 2012. In March 2014, Facebook announced that they would acquire Oculus VR, which was later completed in July 2014. In August 2014, Facebook included Oculus Rift in its white hat bug bounty program and paid money to researchers for reporting bugs. Since then, several vulnerabilities have been found in Oculus services including a series of flaws that earned a researcher $25,000.

In October 2017, Josip Franjkovic, a web security consultant, decided to examine the Oculus application for Windows, which enables users to connect their Facebook accounts for a more social experience by using both the native Windows Oculus application and browsers.

In his research, Franjkovic demonstrated how an attacker could hijack Facebook accounts by using specially crafted GraphQL queries to connect a victim’s Facebook account to the attacker’s Oculus account and obtain the victim’s access_token, which also has access to Facebook’s GraphQL endpoint. Using specially crafted GraphQL queries, the attacker can take control of the victim’s Facebook account and change the victim’s account’s phone number and then reset the account’s password.