Account Takeover via common misconfiguration in Facebook login

Hello folks,

hope you are doing well, I am Ankit a.k.a Rudra16 a security enthusiastic and Bachelor of Technology Student from india. This is my first blog and it’s about a common misconfiguration present in many mobile apps and website which are using facebook login functionality that can be lead to account takeover. This blog is based on these two hackerone reports and want to thanks both researchers -

Facebook login -

According to facebook developers documentation -”Facebook login is a secure, fast, and convenient way for users to log into your app, and for your app to ask for permissions to access data” Basically it’s a functionality which you can use to request user data from facebook like email, name, profile picture etc. for your website. Whenever you see the login with facebook option in any website or mobile apps it is using facebook login function. you can read more about this here-

Login Flow -

Facebook login can be implemented via two ways- By Manually Building a Login Flow “ if you need to implement browser-based login for a web or desktop app without using our SDKs, such as in a webview for a native desktop app (for example Windows 8), or a login flow using entirely server-side code, you can build a Login flow for yourself by using browser redirects” more you can learn here !![link][ or you can use default login flow -

Facebook login sequence diagram


So the issue is present in step 5 where the facebook app send a access token to target app basically if the app is misconfigured the target app doesn’t verify if the access token is generated by target’s facebook app or any other facebook app. So Attacker replace the access token generated for his app(for victim) to access token generated for targeted app (for attacker) in step 5 and login as victim.

Step To Reproduce-

  1. Create a facebook app by going


An attacker can login any user account who authorized his app and by generating access token for his app token can takeover account


We can prevent this issue by sending another parameter which contain app id and validating it on server side you can read more about it here-


That’s all from my side hope you have enjoyed it and sorry i couldn’t include memes here but will try to include in next post 😅. If you have any question hit me up here [link]

Thanks Rajesh Ranjan for proof reading.

Feedbacks are always welcome and as always thanks for reading ❤️

Best Regards,