MetaIntell has identified that 71 of the top 100 free iOS apps use the Facebook SDK and are vulnerable, impacting the over 1.2 billion downloads of these apps. Of the top 100 Android apps, 31 utilize the Facebook SDK and therefore make vulnerable the over 100 billion downloads of those apps.Did MetaIntell Report the Vulnerability?
MetaIntell have found the vulnerability in May 2014, Researcher Tamir, and his team conducted further research to confirm it and evaluate the pervasiveness of the problem. After the confirmation of the vulnerability and its severity, MetaIntell had reported the vulnerability to Facebook Security Team.
Facebook replied with the following statement to MetaIntell -
“I followed up with our Platform team to see if there were any changes they wanted to make here: - On the Android side we've concluded that we will not be making any changes: we are comfortable with the level of security provided by the Android OS. - On the iOS side the team is exploring the possibility of moving the access token storage to the keychain in order to comply with best practices.”Video Demonstration
Researcher have show a video demostration of the vulnerability on
Caution To Take
MetaIntell team have recommend all users not to use Facebook Login option with mobile apps. They recommend IT staff to alert their company employees about this vulnerability and advise them to discontinue using the Facebook login for apps.