On October 26, 2020, I submitted a security vulnerability report to the Facebook bug bounty program. The submission was rejected as a duplicate. As of today (April 14), it is still not fixed. I just resubmitted, since it seems to have fallen through the cracks or something. However, I consider all my responsible disclosure responsibilities to be discharged.
Once an Oculus Quest or Oculus Quest 2 is logged in to a Facebook account, its login can’t be revoked. There is login-token revocation UI in Facebook’s Settings>Security and Login menu, but changing the account password and revoking the login there does not work.
One practical impact of this is that if your Facebook account is ever compromised, and the attacker uses this vulnerability, they have permanent access.
The other practical impact is that if someone has unsupervised access to your unlocked Quest headset, and they use the built-in web browser to go to facebook.com, they have full access to your Facebook account, including Messenger, without having to do anything special at all. This means that if you’ve ever made a confidentiality agreement regarding something you discussed on Facebook Messenger, you probably can’t lend your headset to anyone, ever.
Additionally, the lock-screen on the Oculus Quest 2 does not have a strict enough rate limit; it gives unlimited tries at 2/minute, so trying all lock-screen combinations takes approximately 35 days. This can be done without network access, and can be automated with some effort. So if someone steals a *locked* Oculus Quest 2, they can also use that to break into your Facebook account. There is almost certainly a much faster way to do this involving disassembling the device, but this is bad enough.
Is your logic that releasing this heinous volun into the public is more likely to pressure FB to do something about this? Because if so, I’m not sure that LW is a forum with enough public spotlight to generate pressure. OTOH, I imagine some percentage of readers here aren’t well-aligned but are looking for informational edge, in which case it’s possible this does more harm than good?
I’m not super-confident in this model—eg, it also seems entirely possible to me that lots of FB security engineers read the site and one or more will be shouting ZOMG! any moment over this..
I’m posting here (cross-posted with my FB wall and Twitter) mostly to vent about it, and to warn people that sharing VR headsets has infosec implications they may not have been aware of. I don’t think this comment will have much effect on Facebook’s actions.
On October 26, 2020, I submitted a security vulnerability report to the Facebook bug bounty program. The submission was rejected as a duplicate. As of today (April 14), it is still not fixed. I just resubmitted, since it seems to have fallen through the cracks or something. However, I consider all my responsible disclosure responsibilities to be discharged.
Once an Oculus Quest or Oculus Quest 2 is logged in to a Facebook account, its login can’t be revoked. There is login-token revocation UI in Facebook’s Settings>Security and Login menu, but changing the account password and revoking the login there does not work.
One practical impact of this is that if your Facebook account is ever compromised, and the attacker uses this vulnerability, they have permanent access.
The other practical impact is that if someone has unsupervised access to your unlocked Quest headset, and they use the built-in web browser to go to facebook.com, they have full access to your Facebook account, including Messenger, without having to do anything special at all. This means that if you’ve ever made a confidentiality agreement regarding something you discussed on Facebook Messenger, you probably can’t lend your headset to anyone, ever.
Additionally, the lock-screen on the Oculus Quest 2 does not have a strict enough rate limit; it gives unlimited tries at 2/minute, so trying all lock-screen combinations takes approximately 35 days. This can be done without network access, and can be automated with some effort. So if someone steals a *locked* Oculus Quest 2, they can also use that to break into your Facebook account. There is almost certainly a much faster way to do this involving disassembling the device, but this is bad enough.
Is your logic that releasing this heinous volun into the public is more likely to pressure FB to do something about this? Because if so, I’m not sure that LW is a forum with enough public spotlight to generate pressure. OTOH, I imagine some percentage of readers here aren’t well-aligned but are looking for informational edge, in which case it’s possible this does more harm than good?
I’m not super-confident in this model—eg, it also seems entirely possible to me that lots of FB security engineers read the site and one or more will be shouting ZOMG! any moment over this..
I’m posting here (cross-posted with my FB wall and Twitter) mostly to vent about it, and to warn people that sharing VR headsets has infosec implications they may not have been aware of. I don’t think this comment will have much effect on Facebook’s actions.