CVE-2013-4593
Description
RubyGem omniauth-facebook has an access token security vulnerability
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Omniauth-facebook ≤ 1.5.0 accepts an access token from URL parameters, allowing an attacker to bypass authentication and impersonate any user.
Vulnerability
Description
CVE-2013-4593 is a security vulnerability in the RubyGem omniauth-facebook versions 1.5.0 and earlier. The gem implements a Facebook OAuth2 strategy for OmniAuth. The flaw lies in the build_access_token method, which allowed the access token to be passed directly via URL parameters. This effectively bypasses the standard OAuth2 authentication flow, as the token could be supplied without proper server-side validation [3][4].
Exploitation
Conditions
An attacker could exploit this vulnerability by crafting a URL that includes a Facebook access token as a query parameter. When a user or application processes this URL through the vulnerable gem, the supplied token would be accepted without verifying that it was obtained through the legitimate OAuth2 handshake. No additional authentication is required; the attacker simply needs to possess or guess a valid Facebook access token. The token could be obtained through other means, such as phishing, session hijacking, or from a compromised client [3].
Impact
Successful exploitation allows an attacker to impersonate any Facebook user whose access token is used. This could lead to unauthorized access to the user's profile, posts, and other data accessible through the Facebook Graph API, depending on the token's scope. The vulnerability undermines the entire authentication mechanism, potentially leading to account takeover and data breaches [2][3].
Mitigation
The vulnerability was fixed in version 1.5.1 of omniauth-facebook. The fix removed support for passing an access token through URL parameters, enforcing proper token acquisition via signed requests or the OAuth2 callback [4]. Users are strongly advised to upgrade to version 1.5.1 or later. No workaround other than upgrading is documented.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
omniauth-facebookRubyGems | < 1.5.1 | 1.5.1 |
Affected products
2- omniauth-facebook/omniauth-facebookv5Range: <= 1.5.0
Patches
1115c0a768cd6this does not provide authentication, should not be used
2 files changed · +1 −22
lib/omniauth/strategies/facebook.rb+1 −6 modified@@ -57,12 +57,7 @@ def raw_info end def build_access_token - if access_token = request.params["access_token"] - ::OAuth2::AccessToken.from_hash( - client, - {"access_token" => access_token}.update(access_token_options) - ) - elsif signed_request_contains_access_token? + if signed_request_contains_access_token? hash = signed_request.clone ::OAuth2::AccessToken.new( client,
test/test.rb+0 −16 modified@@ -469,20 +469,4 @@ def setup assert_equal @payload['expires'], result.expires_at end end - - class ParamsContainAccessTokenStringTest < TestCase - def setup - super - - @request.stubs(:params).returns({'access_token' => 'm4c0d3z'}) - - strategy.stubs(:callback_url).returns('/') - end - - test 'returns a new access token' do - result = strategy.build_access_token - assert_kind_of ::OAuth2::AccessToken, result - assert_equal 'm4c0d3z', result.token - end - end end
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-33vg-hpx5-pfxgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2013-4593ghsaADVISORY
- www.openwall.com/lists/oss-security/2013/11/18/6ghsax_refsource_MISCWEB
- access.redhat.com/security/cve/cve-2013-4593mitrex_refsource_MISC
- exchange.xforce.ibmcloud.com/vulnerabilities/89040ghsax_refsource_MISCWEB
- github.com/simi/omniauth-facebook/commit/115c0a768cd6f4b9bfae8900f8e3fc4fbeec3ad8ghsaWEB
- security-tracker.debian.org/tracker/CVE-2013-4593ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.