Brave this week said it is blocking the installation of a popular Chrome extension called L.O.C. because it exposes users' Facebook data to potential theft.
"If a user is already logged into Facebook, installing this extension will automatically grant a third-party server access to some of the user's Facebook data," explained Francois Marier, a security engineer at Brave, in a GitHub Issues post. "The API used by the extension does not cause Facebook to show a permission prompt to the user before the application's access token is issued."
"The extension does not collect the user's data unless the user becomes a Premium user, and the only thing it collects is UID – which is unique to each person," explained Mai.
Mai said the extension stores the token locally, under
localStorage.touch. That presents a security risk but isn't indicative of wrongdoing. L.O.C. continues to be available through the Chrome Web Store.
However, a malicious developer could harvest Facebook data using the same access method, because Facebook is exposing a plain-text token that grants what security researcher Zach Edwards describes as "god mode."
In an email to The Register, Mai explained that Facebook's Graph API requires a user's access token to function. To obtain that token – so users of the extension can automate the processing of their own Facebook data, like downloading their messages – the extension sends a GET request to Creator Studio for Facebook. The request returns an access token to the extension for the logged-in Facebook user, allowing further programmatic interactions with Facebook data.
Mai elaborated on this in response to Brave's GitHub post. "The access token is within the HTML of that page. Any Facebook user can really just go to
view-source:https://business.facebook.com/creatorstudio/home and view the access token in there."
Edwards told The Register, "Facebook faced nearly an identical scandal in 2018 when 50 million Facebook accounts were scraped due to a token exposure." And yet Facebook appears to consider this data dispensing token to be a feature, not a bug.
Mai provided The Register with a copy of the April 9, 2019 email he used to report a token disclosure issue at a different endpoint that enabled the same sort of data access. The response from Facebook security was, "In this case, the issue you've described is actually just intended functionality and therefore doesn't qualify for a bounty."
"Facebook seems to have not learned their lesson from 2018 and is still exposing a plain text god mode token for every user, on a niche page that specific developers know about," said Edwards. "Facebook calls this a feature, but when the first extension developer scrapes and steals data from countless pages and users, will that be when Facebook finally admits it's a bug just like the 2018 problems?"
The Register asked Facebook about the situation and about whether, as Edwards suggests, the company intends to revoke all the tokens obtained from its Creator Studio endpoint. We've not heard back.
Mai said he made the extension to help friends who were thinking of quitting Facebook. The L.O.C. extension, which has more than 700,000 users, lets people download their Facebook conversations, change their post privacy settings, find and remove friends, and other functions.
Mai said he has been banned from Facebook and added the company has contacted him to accuse him of transferring or sharing user data without consent – "I have never done this" – and of buying, selling, or exchanging site privileges such as likes, shares, and other aspects of engagement tracked by Facebook and Instagram – which he also denied.
However, he said, he'd consider removing his extension "if Facebook was more reasonable with my Facebook account and Instagram account and if they provided me with better reasons why my extension is harmful for others."
The Register asked Brave whether it intends to reconsider its ban of L.O.C. based on Mai's explanation of what's going on. A Brave spokesperson said, “We’re working with the extension author on some changes to the extension so that it can be unblocked in Brave.”.
Improper extensions still an issue
Edwards said Facebook's Terms of Service falls short here because while the company insists people use its app platform, it doesn't prevent people from using browser extensions.
And this gap that exposes user data is compounded by the way Chrome extensions currently work. As Edwards describes it, Chrome extensions can request permissions on one domain you control and on another you don't, and then open a browser tab upon installation that creates an opportunity to scrape API tokens and session IDs for various different types of apps.
"Facebook just happens to have a legacy web permission hardcoded into a page on their 'creator studio' they built, which makes it possible for someone who controls one of these extensions to scrape hundreds of thousands of Facebook tokens, without ever signing up for the Facebook developer program and using the correct/native Facebook app/dev sharing features," explained Edwards.
"Basically, Facebook can't 'ban' an extension, even if Facebook knows the extension should not be allowed to request permissions on facebook.com and their own team thinks it's malicious," he added.
"And currently, Google doesn't want to acknowledge that the [Chrome App Store] is overrun with developers requesting permissions on two domains, one they control and one they don't. This is the practice that just needs to stop as fast as possible or be acknowledged publicly by Google so they can explain any future fixes to prevent these problems."
Edwards said between the broad scope of Chrome extension permissions and the bewildering decision by Facebook to keep this "god mode" token embedded on a page for years after being alerted to the problem, it's a perfect storm for data theft.
Updated to add
After this story was published, a Meta spokesperson emailed to say, “We’re looking into these claims and will take action as appropriate to uphold our policies and protect people’s information.”