You can now find Cyber Kendra on Google News | Telegram

Facebook SDK Vulnerability Allows Account Hijacking

Facebook SDK Vulnerability Allows Account Hijacking, MetaIntell have discovered a vulnerability in the latest version of Facebook SDK (v3.15.0), which put billions of Facebook users at risk. The vulnerability allows the attacker to hijack Facebook user's Authentication token which can be used to hijack Facebook account of users.
Facebook vulnerability, Facebook app hacked, Facebook  token hacked, Facebook login hacked, Facebook  security, Facebook  sdk vulnerability
Security researcher from MetaIntell have discovered a vulnerability in the latest version of Facebook SDK (v3.15.0), which put billions of Facebook users at risk. The vulnerability allows the attacker to hijack Facebook user's Authentication token which can be used to hijack Facebook account of users.

There are tonnes of the mobile apps that use Facebook SDK which supports for login with Facebook authentication. As Facebook sdk is one of the easiest way to integrate mobile apps with Facebook plateform, hence millions of users use it to authenticate on apps. 

Researcher Dubbed the vulnerability as "Social Login Session Hijacking", when exploited this vulnerability allows an attacker access to a user’s Facebook account using a session hijacking method that leverages the Facebook Access Token (FAT).

Stored, Token Unencrypted
As the access token is a secret token of Facebook users, which allows to login to the users account. And the latest version of SDK stored these secret token unencrypted, researcher says. Researchers found that Facebook SDK Library stores it in an unencrypted format on the device’s file system, which can be accessed easily even on a non-rooted Android or jailed iOS Device.

All the Android and iOS  apps are vulnerable which are using Facebook latest SDK for app login, which stores the users access token unencrypted on device. Researchers explained -
MetaIntell has identified that 71 of the top 100 free iOS apps use the Facebook SDK and are vulnerable, impacting the over 1.2 billion downloads of these apps. Of the top 100 Android apps, 31 utilize the Facebook SDK and therefore make vulnerable the over 100 billion downloads of those apps.
Did MetaIntell Report the Vulnerability?
MetaIntell have found the vulnerability in May 2014, Researcher Tamir, and his team conducted further research to confirm it and evaluate the pervasiveness of the problem. After the confirmation of the vulnerability and its severity, MetaIntell had reported the vulnerability to Facebook Security Team.
Facebook replied with the following statement to MetaIntell -
“I followed up with our Platform team to see if there were any changes they wanted to make here: - On the Android side we've concluded that we will not be making any changes: we are comfortable with the level of security provided by the Android OS. - On the iOS side the team is exploring the possibility of moving the access token storage to the keychain in order to comply with best practices.”
Video Demonstration
Researcher have show a video demostration of the vulnerability on
Caution To Take
MetaIntell team have recommend all users not to use Facebook Login option with mobile apps. They recommend IT staff to alert their company employees about this vulnerability and advise them to discontinue using the Facebook login for apps.

Post a Comment

Cookie Consent
We serve cookies on this site to analyze traffic, remember your preferences, and optimize your experience.
Oops!
It seems there is something wrong with your internet connection. Please connect to the internet and start browsing again.
AdBlock Detected!
We have detected that you are using adblocking plugin in your browser.
The revenue we earn by the advertisements is used to manage this website, we request you to whitelist our website in your adblocking plugin.
Site is Blocked
Sorry! This site is not available in your country.