Facebook SDK Vulnerability Allows Account Hijacking

Facebook SDK Vulnerability Allows Account Hijacking, MetaIntell have discovered a vulnerability in the latest version of Facebook SDK (v3.15.0), which put billions of Facebook users at risk. The vulnerability allows the attacker to hijack Facebook user's Authentication token which can be used to hijack Facebook account of users.

Admin

July 04, 2014

Facebook vulnerability, Facebook app hacked, Facebook token hacked, Facebook login hacked, Facebook security, Facebook sdk vulnerability

Security researcher from MetaIntell have discovered a vulnerability in the latest version of Facebook SDK (v3.15.0), which put billions of Facebook users at risk. The vulnerability allows the attacker to hijack Facebook user's Authentication token which can be used to hijack Facebook account of users.

There are tonnes of the mobile apps that use Facebook SDK which supports for login with Facebook authentication. As Facebook sdk is one of the easiest way to integrate mobile apps with Facebook plateform, hence millions of users use it to authenticate on apps.

Researcher Dubbed the vulnerability as "Social Login Session Hijacking", when exploited this vulnerability allows an attacker access to a user’s Facebook account using a session hijacking method that leverages the Facebook Access Token (FAT).

Stored, Token Unencrypted

As the access token is a secret token of Facebook users, which allows to login to the users account. And the latest version of SDK stored these secret token unencrypted, researcher says. Researchers found that Facebook SDK Library stores it in an unencrypted format on the device’s file system, which can be accessed easily even on a non-rooted Android or jailed iOS Device.

All the Android and iOS apps are vulnerable which are using Facebook latest SDK for app login, which stores the users access token unencrypted on device. Researchers explained -

MetaIntell has identified that 71 of the top 100 free iOS apps use the Facebook SDK and are vulnerable, impacting the over 1.2 billion downloads of these apps. Of the top 100 Android apps, 31 utilize the Facebook SDK and therefore make vulnerable the over 100 billion downloads of those apps.

Did MetaIntell Report the Vulnerability?
MetaIntell have found the vulnerability in May 2014, Researcher Tamir, and his team conducted further research to confirm it and evaluate the pervasiveness of the problem. After the confirmation of the vulnerability and its severity, MetaIntell had reported the vulnerability to Facebook Security Team.
Facebook replied with the following statement to MetaIntell -

“I followed up with our Platform team to see if there were any changes they wanted to make here: - On the Android side we've concluded that we will not be making any changes: we are comfortable with the level of security provided by the Android OS. - On the iOS side the team is exploring the possibility of moving the access token storage to the keychain in order to comply with best practices.”

Video Demonstration
Researcher have show a video demostration of the vulnerability on
Caution To Take
MetaIntell team have recommend all users not to use Facebook Login option with mobile apps. They recommend IT staff to alert their company employees about this vulnerability and advise them to discontinue using the Facebook login for apps.