Analysis Multiple Chrome browser extensions make use of a session token for Meta’s Facebook that grants access to signed-in users’ social network data in a way that violates the company’s policies and leaves users open to potential privacy violations.
Security researcher Zach Edwards last week noted that Brave had blocked a Chrome extension called L.O.C. out of concern it exposed the user’s Facebook data to a third-party server without any notice or permission prompt.
L.O.C. utilized an access token that can be easily obtained from Facebook’s Creator Studio web app. After extracting this token – a text string composed of 192 letters and numbers – from the app, the browser extension is able to use it with Facebook’s Graph API without being an approved third-party Facebook app to fetch data about the signed-in user.
It does so, its developer says, to allow users to automate the processing of their Facebook data.
The problem is that data access of this sort could be abused, as it has been in the past. An extension utilizing this token could, for example, copy the user’s data and send it to a remote server without the user’s knowledge or consent. Or it could store the user’s name and email and use that for tracking the individual across websites.
Here’s how a theoretical data theft could occur:
- You create and release a seemingly innocent Chrome extension that can fetch access tokens from Facebook’s Creator Studio.
- Whenever a victim installs your Chrome extension and is signed into Facebook, the extension obtains one of these tokens on the victim’s behalf to silently access their Facebook data via the social network’s Graph API.
- The extension then exfiltrates the victim’s data to a remote server.
The ability to grab an access token from the Creator Studio provides a route for extensions to quietly, automatically harvest signed-in users’ profile data without permission and without having to, say, scrape pages.
The access token is obtained by fetching this page and extracting
accessToken from the source.
In September 2018, Facebook acknowledged a security issue affecting almost 50 million accounts, which it attributed to miscreants stealing access tokens presented by its “View As” feature to allow people to see how their profiles look to others.
“This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts,” explained Guy Rosen, who was VP of Product Management at the time and is now VP of Integrity at Meta. “Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.”
The access token available through Creator Studio does not pose the same threat of account takeover as the “View As” token.
A Meta spokesperson told us via email that these sorts of tokens have legitimate uses and provide no access to data beyond what’s available to an individual account holder. And Meta said there’s no indication that the L.O.C. extension has been exfiltrating information from people’s devices. Nonetheless, the token does provide programmatic access to data about signed-in Facebook users without authorization or consent.
It was this risk that prompted browser maker Brave to block the L.O.C. extension, until developer Loc Mai contacted Brave’s development team. A Brave spokesperson said the company is working with the programmer to make some changes – likely a notification or permission prompt – so the extension is acceptable from a privacy and security standpoint.
And it’s a risk that ought to concern Meta and its subsidiaries given Facebook’s 2019 settlement of an FTC investigation that followed from the Cambridge Analytica scandal. As part of that deal, Facebook committed to limiting third-party access to user data.
Cambridge Analytica obtained people’s Facebook profile information via a third-party quiz app that plugged into the social network. There are parallels here: you hope that a quiz app won’t share your Facebook profile info with others, and you hope a Chrome extension avoids that, too.
Though Facebook vowed to put in place measures to prevent another Cambridge Analytica fiasco, the Creators Studio access tokens in the hands of a malicious and widely installed Chrome extension could lead to a repeat of history.
“Under the new framework required by the FTC, we’ll be accountable and transparent about fixing old products that don’t work the way they should and building new products to a higher standard,” Facebook insisted when it promised to clean up data access nearly three years ago.
We’re dealing with it, sort of
In an email to The Register, a Meta spokesperson said the company is dealing with these extensions but that requires the help of Google.
“The access tokens that these extensions request help creators and others to use our tools and products but aren’t capable of accessing data beyond what people can do with their own account or what the session cookie on their browser already provides,” Meta’s spokesperson said in an email.
“Since installing browser extensions can carry risk, we regularly report ones that violate our policies to browser makers like Google to have them removed, as we did in this case. This work is managed by our dedicated External Data Misuse team that focuses on detecting, blocking, and deterring improper automated use of our services.”
Part of the issue is that Google’s Chrome extensions are easy to subvert or misuse and Meta doesn’t have a direct way to prevent the publication of extensions that abuse its Graph API, apart from reporting the issue to Google.
Meta’s spokesperson said that the Creator Studio token is scoped to the user’s session, which means it will expire if the extension user logs out of Facebook. And if the token has not been transmitted to the extension developer’s server, as appears to be the case with the L.O.C. extension, then uninstalling the extension will also cause the token to expire.
The token, we’re told, is not the problem. Rather browser extensions allow users to automate Facebook activities. Meta’s spokesperson advised people to be cautious when installing extensions and said browser makers like Google need to be vigilant and remove unsafe extensions from their web stores.
Edwards told The Register that this is a weird problem because if someone can be convinced to install one of these extensions, that trust could be easily abused. Facebook, he said, isn’t providing any notice to users based on the data permissions they’ve granted, which differs from the notice and authorization prompts that follow from permitted programmatic interaction with the social network.
So far, no action has been taken, and according to Edwards, there are several Chrome extensions at least that similarly co-opt the Creator Studio access token to allow data to be fetched via the Facebook Graph API.
J2TEAM Security (200K users), MonokaiToolkit (10K users), FBVN (80,000 users), and KB2A Tool (50,000 users) all utilize this token, according to Edwards. He explained these all appear to have come out of a Facebook group frequented by Vietnamese-speaking developers who hunt Facebook tokens, ostensibly to provide services the social network doesn’t offer.
The Register has no reason to believe these developers are misusing user data. In fact, J2TEAM Security purports to block Facebook phishing URLs. It is entirely possible to use Facebook’s access token to promote security rather than harm it.
But the fact that this group of developers can access Facebook users’ data through the Graph API in ways that violate Facebook rules – and has been doing so at least since 2017 – shows there is a gap between having rules and enforcing them.
Meta insists it is dealing with these extensions and pointed to its External Data Misuse efforts. The internet giant’s spokesperson reiterated that the company regularly takes action to enforce its policies and noted that Facebook previously sent a cease and desist letter to the developer of the L.O.C. extension and banned him from the platform – though that’s done nothing to disable the extension.
We’re told Meta has made another request to Google to remove the extension from its Chrome Web Store and is looking at the other extensions mentioned above.
Even so, abuse of these sorts of tokens looks likely to continue because Meta says they have legitimate use cases, like enabling access to its Creator Studio app and supporting functionality like Recent Posts in the Creator Home tab. ®