On September 28, 2018, Facebook announced a security issue affecting almost 50 million user accounts. On the Azure AD B2C team, we’ve been carefully watching this developing story, particularly regarding any potential impact it could have on our own customers.
In our analysis of the situation and the data available so far, we have found no evidence that Azure AD B2C’s integration with Facebook is vulnerable to this exploit. This is due to the way Azure AD B2C acquires user access tokens from Facebook. We will go into further detail on this below.
Background
Any application using Azure AD B2C will be consuming tokens issued by B2C, even when they have configured Facebook as an identity provider. As a result, the point to consider is whether or not Azure AD B2C can be made to directly consume a Facebook access token.
Azure AD B2C integrates with Facebook using the OAuth2 Confidential Client flow. In this flow, the end user’s browser does not acquire an access token directly. Instead, they acquire an “authorization code”, which is sent to B2C by the user’s browser. B2C then does a service-to-service call to redeem the authorization code for an access token. As a result, B2C only accepts access tokens that it acquires itself from Facebook directly.
Since B2C does not accept access tokens from the end user, the exploit that Facebook has described does not apply – even if an attacker presented B2C with the access token of another Facebook user, B2C is not configured to accept it to authenticate the user.
Going forward
We will continue to monitor the situation as more details arise from Facebook as part of our commitment to our customers.