Brave stated that it is prohibiting the installation of the popular Chrome extension L.O.C. because it exposes users' Facebook data to potential theft. "If a user is already logged into Facebook, installing this extension will automatically grant a third-party server access to some of the user's Facebook data," explained Francois Marier, a security engineer at Brave, in a post. "The API used by the extension does not cause Facebook to show a permission prompt to the user before the application's access token is issued."
Loc Mai, the extension's developer, stated in an email that the Graph API on Facebook requires a user's access token to function. The extension sends a GET request to Creator Studio for Facebook to receive the token, which allows users of the extension to automate the processing of their own Facebook data, such as downloading messages. The request returns an access token to the extension for the logged-in Facebook user, allowing additional programmatic interactions with Facebook data.
Zach Edwards, a security researcher, said, "Facebook faced nearly an identical scandal in 2018 when 50 million Facebook accounts were scrapped due to a token exposure." Nonetheless, Facebook appears to regard this data dispensing token as a feature rather than a bug.
According to Mai, his extension does not harvest information, as stated in the extension's privacy policy. Currently, the extension has over 700,000 users. "The extension does not collect the user's data unless the user becomes a Premium user, and the only thing it collects is UID – which is unique to each person," explained Mai.
As per Mai, the extension saves the token locally under localStorage.touch. This is a security concern but is not evidence of wrongdoing. L.O.C. is still available on the Chrome Web Store. A malicious developer, on the other hand, might harvest Facebook data using the same access technique, because Facebook is releasing a plain-text token that grants "god mode," as Edwards describes it.
According to Edwards, Facebook's Terms of Service fall short in this regard because, while the company requires individuals to utilize its app platform, it does not prohibit people from utilizing browser extensions.
This loophole, which exposes user data, is exacerbated by the way Chrome extensions now work. According to Edwards, Chrome extensions can seek authorization on one domain you control and another you don't, and then open a browser tab upon installation to scrape API tokens and session IDs for various types of apps.
