CVE-2024-35232 in facebook
Summary
by MITRE • 05/25/2024
github.com/huandu/facebook is a Go package that fully supports the Facebook Graph API with file upload, batch request and marketing API. access_token can be exposed in error message on fail in HTTP request. This issue has been patched in version 2.7.2.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 05/25/2024
The vulnerability identified as CVE-2024-35232 affects the github.com/huandu/facebook Go package, a widely-used library for interacting with Facebook's Graph API. This package provides comprehensive support for various Facebook API functionalities including file uploads, batch requests, and marketing API operations. The flaw manifests in how the library handles HTTP request failures, specifically exposing sensitive authentication tokens in error messages when API calls fail. This represents a critical security oversight that directly violates fundamental security principles of least privilege and secure error handling.
The technical implementation flaw occurs within the error processing mechanism of the Facebook Graph API client library. When HTTP requests to Facebook's API fail, the library includes the access_token parameter in the error response or logging output, creating an information disclosure vulnerability. This vulnerability is categorized under CWE-209, "Information Exposure Through an Error Message," which specifically addresses situations where error messages reveal sensitive information that should remain confidential. The flaw is particularly concerning because access tokens are the primary means of authentication for Facebook API operations, and their exposure could enable unauthorized access to user data and application resources.
The operational impact of this vulnerability extends beyond simple information disclosure, as it creates potential attack vectors for malicious actors seeking to compromise Facebook API integrations. An attacker who can trigger failed HTTP requests to the Facebook API through the vulnerable library could extract access tokens from error responses, potentially gaining unauthorized access to Facebook applications, user data, and marketing resources. This vulnerability directly aligns with ATT&CK technique T1566.001, "Phishing: Spearphishing Attachment," as it could be exploited through malicious attachments or payloads that trigger API failures, or through other attack vectors that cause the vulnerable library to generate error messages containing tokens.
Organizations using this Go package in their applications face significant security risks, as the exposure of access tokens could lead to complete compromise of Facebook API integrations. The vulnerability affects any system that relies on the github.com/huandu/facebook library for Facebook API interactions and has been addressed in version 2.7.2 of the package. Security practitioners should immediately assess their applications for usage of this library and implement the patched version as a priority mitigation measure. Additionally, organizations should review their error handling practices to ensure that sensitive information is never included in error messages or logs, particularly when dealing with authentication tokens and other security credentials. The fix implemented in version 2.7.2 demonstrates proper secure coding practices by ensuring that error messages do not contain sensitive authentication information, thereby preventing the information disclosure that previously occurred during HTTP request failures.