Facebook exposes ‘god mode’ token that could siphon data through L.O.C. extension, but dev says they are not harvesting that information

facebook

Brave this week said it is blocking the installation of a popular Chrome extension called L.O.C. because it exposes users’ Facebook data to potential theft.

“If a user is already logged into Facebook, installing this extension will automatically grant a third-party server access to some of the user’s Facebook data,” explained Francois Marier, a security engineer at Brave, in a GitHub Issues post. “The API used by the extension does not cause Facebook to show a permission prompt to the user before the application’s access token is issued.”

However, the developer of the extension, Loc Mai, told The Register that his extension is not harvesting information – as the extension’s privacy policy states. The extension currently has around 700,000 users.

“Facebook just happens to have a legacy web permission hardcoded into a page on their ‘creator studio’ they built, which makes it possible for someone who controls one of these extensions to scrape hundreds of thousands of Facebook tokens, without ever signing up for the Facebook developer program and using the correct/native Facebook app/dev sharing features,” explained Edwards.

So this really highlights a potential threat that bad actors could make use of. So nothing should have happened, as long as it is not exploited in the meanwhile. Only a browser itself can ban an extension, and Meta is looking into the issue too, apparently. The article below unpacks the potential vulnerability in a bit more detail.

See https://www.theregister.com/2022/02/12/facebook_god_mode/

#technology #privacy #facebook