Facebook SDK Vulnerability Puts Millions Of Smartphone User At Risk

<div dir="ltr" style="text-align: left;" trbidi="on"> <div class="articlebodyonly" id="articlebodyonly" itemprop="articleBody"> <div id="aim17492458691728021454"> <div dir="ltr" style="text-align: left;" trbidi="on"> <div style="text-align: justify;"> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgv1M0NmIpbq8a3n_J52bBn4ToBKbY1DFjb8VKaIXTBjYrZjMaamtppJBkksGuCe6Vx1-O6Z7Rct1q10N5cMVeN_hDWyheSLUPyEyXlfI0jpqaRhrPD6jhSEZDDteeAnYf57j1ViGazv2Q/s1600/facebook-sdk-access-token-hacking.jpg" imageanchor="1" rel="nofollow" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img alt="facebook sdk access token hacking" border="0" height="439" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgv1M0NmIpbq8a3n_J52bBn4ToBKbY1DFjb8VKaIXTBjYrZjMaamtppJBkksGuCe6Vx1-O6Z7Rct1q10N5cMVeN_hDWyheSLUPyEyXlfI0jpqaRhrPD6jhSEZDDteeAnYf57j1ViGazv2Q/s728/facebook-sdk-access-token-hacking.jpg" title="facebook sdk access token hacking" width="640" /></a></div> Security researchers from MetaIntell, the leader in intelligent led Mobile Risk Management (MRM), have discovered a major security vulnerability in the latest version of Facebook SDK that put millions of Facebook user's Authentication Tokens at risk.</div> <div style="text-align: justify;"> </div> <div style="text-align: justify;"> Facebook SDK for Android and iOS is the easiest way to integrate mobile apps with Facebook platform, which provides support for Login with Facebook authentication, reading and writing to Facebook APIs and many more.</div> <div style="text-align: justify;"> </div> <div style="text-align: justify;"> Facebook OAuth authentication or ‘<i>Login as Facebook</i>’ mechanism is a personalized and secure way for users to sign into 3rd party apps without sharing their passwords. After the user approves the permissions as requested by the application, the Facebook SDK implements the OAuth 2.0 User-Agent flow to retrieve the secret user’s access token required by the apps to call Facebook APIs to read, modify or write user's Facebook data on their behalf.</div> <div style="text-align: justify;"> </div> </div> </div> <div id="aim27492458691728021454"> <b>ACCESSING UNENCRYPTED ACCESS TOKEN</b> <div style="text-align: justify;"> It is important that your secret token is never shared with anyone, but researchers found that Facebook SDK Library stores it in an unencrypted format on the device’s file system, which can be accessed easily even on a non-rooted Android or jailed iOS Device.</div> <div style="text-align: justify;"> </div> <div style="text-align: justify;"> “<i>With just 5 seconds of USB connectivity, Access token is available on iOS via juice jacking attack, no jailbreak needed and on Android file system, it can be accessed via recovery mode which is tricker and require more time</i>.” Chilik Tamir, Chief architect for MetaIntell told <i>The Hacker News</i>.</div> <div style="text-align: justify;"> <b>THREAT FROM OTHER APPS</b></div> <div style="text-align: justify;"> Moreover, any 3rd party smartphone application with permission to access device file system can read this file and able to steal users’ Facebook access tokens remotely, he said.</div> <div style="text-align: justify;"> </div> <div style="text-align: justify;"> Researchers dubbed the vulnerability as “<b><i>Social Login Session Hijacking.</i></b>”. Once exploited, could allow an attacker to access victim’s Facebook account information using access token and session hijacking method.</div> <div style="text-align: justify;"> </div> <div style="text-align: justify;"> <b>VIDEO DEMONSTRATION: STEALING FACEBOOK TOKEN FROM VIBER</b></div> <div style="text-align: justify;"> Researchers published a Youtube video, demonstrating the reported vulnerability in one of the most popular messaging application ‘<i>VIBER</i>’ for iOS.</div> <div style="text-align: justify;"> <div class="video-container"> <iframe allowfullscreen="" frameborder="0" height="480" src="//www.youtube.com/embed/1fylUF_YUqk" width="640"></iframe></div> </div> <div style="text-align: justify;"> All those iOS and Android apps are vulnerable to this attack, who are using Facebook SDK for app login and storing users unencrypted access token on the device, <a href="https://twitter.com/_coreDump" rel="nofollow" target="_blank">Chilik Tamir</a> told <i>The Hacker News</i> in an email.</div> <blockquote class="tr_bq" style="text-align: justify;"> “<i>MetaIntell has identified that 71 of the top 100 free iOS apps use the Facebook SDK and are vulnerable, impacting the over 1.2 billion downloads of these apps. Of the top 100 Android apps, 31 utilize the Facebook SDK and therefore make vulnerable the over 100 billion downloads of these apps</i>.” researcher said in a blog post.</blockquote> <div style="text-align: justify;"> <b>PASSIVE RESPONSE FROM FACEBOOK SECURITY TEAM</b></div> <div style="text-align: justify;"> MetaIntell team has already informed Facebook Security team about the vulnerability, but it seems that Facebook is not in any mood to update their SDK with a fix.</div> <blockquote class="tr_bq" style="text-align: justify;"> “<i>I followed up with our Platform team to see if there were any changes they wanted to make here: - On the Android side we've concluded that we will not be making any changes: we are comfortable with the level of security provided by the Android OS. - On the iOS side the team is exploring the possibility of moving the access token storage to the keychain in order to comply with best practices.</i>” Facebook replied to MetaIntell after bug report.</blockquote> <div style="text-align: justify;"> <b>WHAT TO DO?</b></div> <div style="text-align: justify;"> Mobile app users are advised to do not use ‘Facebook Login’ option within Mobile apps and disallow apps to use their Facebook login. App Developers are recommended to move their users’ access tokens from device file system to secure online storage with encrypted channel.</div> </div> <div style="margin: 10px 5px 5px 5px;"> </div> </div> </div>

Android Android APP Facebook SmartPhone Facebook SDK Vulnerability Puts Millions Of Smartphone User At Risk

Security researchers from MetaIntell, the leader in intelligent led Mobile Risk Management (MRM), have discovered a major security vulnerability in the latest version of Facebook SDK that put millions of Facebook user's Authentication Tokens at risk…

Read more »