the stream

stealing messenger.com sessions to access Facebook accounts

Alexander Bochmann Wednesday 22 of March, 2017
This has been fixed, obviously. Stephen Sclafani describes how he managed to steal messenger.com sessions, which then could be used to access the corresponding Facebook account.

Stephen Sclafani wrote:
It was possible to create a URL that when loaded by a user who was logged into their Facebook account would redirect a nonce for their account to another site. The nonce could then be used to create a messenger.com session for the user. Since messenger.com session cookies are interchangeable with facebook.com this gave full access to the user’s Facebook account.

(Via tedu.)