Facebook Exposes 'God Mode' token That Could Push  Data
Reading Time: 4 minutes

Researchers at Brave have discovered, Facebook exposes ‘God Mode’ Token that could push data leading to potential theft, as a result of which they have blocked the installation of a popular Chrome extension called L.O.C. 

The security researchers at Brave in a GitHub Issues post said, “If a user is already logged into Facebook, installing this extension will automatically grant third-party server access to some of the user’s Facebook data. The API used by the extension does not cause Facebook to show a permission prompt to the user before the application’s access token is issued.”

According to the developer, the extension does not harvest information as stated in the extension’s privacy policy. Currently, more than 700,000 users are using the extension. 

Mai, the developer of the extension said, it stores the tokens locally under localStorage.touch. This presents a security risk though does nothing wrong, L.O.C. continues to be available through the Chrome Web Store.

Bad actors on the other hand can manipulate it to harvest Facebook data using the same access method. Since Facebook exposes a plain text token, it grants access to “God Mode”, according to security researcher Zach Edwards.

About Facebook God Mode
According to Mai, Facebook’s Graph API requires a user’s access token to function. With the use of the token users can process their own Facebook data such as downloading their messages, as the extension sends a GET request to Creator Studio for Facebook.  An access token is returned to the extension which allows the Facebook user to further programmatically interact with Facebook data.

In his response to Brave’s GitHub post, he said, “The access token is within the HTML of that page. Any Facebook user can really just go to view-source:https://business.facebook.com/creatorstudio/home and view the access token in there.”

Facebook earlier in 2018 got itself in a similar scandal when 50 million Facebook accounts were scrapped due to a token exposure, Yet Facebook considers this to be a feature and not a bug. 

Earlier on April 9, 2019, Mai also reported a token disclosure issue at a different endpoint that enabled the same sort of data access.

Facebook in response said, “In this case, the issue you’ve described is actually just intended functionality and therefore doesn’t qualify for a bounty. 

While Edwards said, “Facebook seems to have not learned their lesson from 2018 and is still exposing a plain text god mode token for every user, on a niche page that specific developers know about. Facebook calls this a feature, but when the first extension developer scrapes and steals data from countless pages and users, will that be when Facebook finally admits it’s a bug just like the 2018 problems?”

The L.O.C. extension, according to Mai, is a helpful tool for those thinking of quitting Facebook. It is used by nearly 700000 users who can download their Facebook conversations, change their post privacy settings, find and remove friends, and other functions.

He has also been banned from Facebook and been contacted by them to accuse him of transferring or sharing user data without consent. Though he maintains he has never done it or buying , selling, or exchange site privileges such as likes, shares, and other aspects of engagement tracked by Facebook and Instagram – which he also denied.

He added, if Facebook can be more reasonable with his Facebook and Instagram account and give him better reasons why his extension is harmful to others, he may consider removing the extension. 

After hearing out Mai’s side of the story, Brave may reconsider its decision to banL.O.C. According to a Brave spokesperson, “We’re working with the extension author on some changes to the extension so that it can be unblocked in Brave.”.

Improper Extensions Still Active
There are several Chrome extensions available that people use, they request permissions on one domain you control and on another, you don’t, and then open a browser tab upon installation that creates an opportunity to scrape API tokens and session IDs for various different types of apps.

Edwards explained, “Facebook just happens to have a legacy web permission hardcoded into a page on their ‘creator studio’ they built, which makes it possible for someone who controls one of these extensions to scrape hundreds of thousands of Facebook tokens, without ever signing up for the Facebook developer program and using the correct/native Facebook app/dev sharing features”

He further added, “Basically, Facebook can’t ‘ban’ an extension, even if Facebook knows the extension should not be allowed to request permissions on facebook.com and their own team thinks it’s malicious.” 

Google currently does not acknowledge that the [Chrome App Store] is overrun with developers requesting permissions on two domains i.e one they control and one they don’t. This practice needs to be stopped or acknowledged publicly by Google as it will help fix problems in the future. 

Edwards concluded by saying both the actions related to Chrome extension permissions and Facebook’s decision to keep the “God Mode” token embedded on a page for years is a serious threat to data theft. 

Though Meta spokesperson has in an email to the Register assured they will be looking into the claims and act in an appropriate manner that will uphold their policies and protect people’s information.

Related Articles:
PHP Everywhere Plugin – RCE Flaws Threaten Thousands of WordPress Sites
CISA, FBI, NSA Issue Advisory on Severe Increase in Ransomware Attacks
New Marlin Backdoor used by Iranian Hackers Using in ‘Out to Sea’ Espionage Campaign