Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Hacking

Facebook SDK flaw exposes smartphone users’ accounts at risk

Experts from MetaIntell have discovered a critical vulnerability in the latest version of Facebook SDK which exposes millions of Facebook accounts at risk. Security experts from MetaIntell have discovered a significant security vulnerability in the latest version of Facebook SDK, which affects numerous iOS and Android apps exposing millions of Facebook user’s Authentication Tokens at risk. The researchers […]

Facebook SDK flaw exposes smartphone users’ accounts at risk

Experts from MetaIntell have discovered a critical vulnerability in the latest version of Facebook SDK which exposes millions of Facebook accounts at risk.

Security experts from MetaIntell have discovered a significant security vulnerability in the latest version of Facebook SDK, which affects numerous iOS and Android apps exposing millions of Facebook user’s Authentication Tokens at risk. The researchers dubbed the vulnerability “Social Login Session Hijacking,”, it could be used by an attacker to access victim’s Facebook account information using access token and session hijacking method.
MetaIntell, the leader in intelligent led Mobile Risk Management (MRM), announced today that it has uncovered a significant security vulnerability in the Facebook SDK (V3.15.0) for both iOS and Android. Dubbed Social Login Session Hijacking, when exploited this vulnerability allows an attacker access to a user’s Facebook account using a session hijacking method that leverages the Facebook Access Token (FAT).” reports MetaIntell in the blog post.

The Facebook SDK allows the easy integration of mobile apps with Facebook platform, in particular to implement Login with Facebook authentication and reading and writing to Facebook APIs. The “Login as Facebook” authentication mechanism is the Facebook implementation of the open standard for authorization OAuth which provides client applications a ‘secure delegated access’ to resources on behalf of a resource owner.

Through “Login as Facebook” mechanism users can sign into 3rd party apps without sharing their passwords, once they approve the permissions as requested by the application, the Facebook SDK implements the OAuth 2.0 User-Agent flow in order to gain the access token. The access token is used by mobile apps to invoke Facebook SDK APIs to read, modify or write user’s Facebook data on their behalf.
Facebook SDK 2
As explained by the experts, once the app has successfully authenticated with Facebook, a local session token is cached and used to authenticate future sessions. The insecure management of this session token exposes users to serious risks if user’s apps are using the Facebook SDK for user authentication.
Facebook SDK Library stores the session token in an unencrypted format on the device’s file system, an attacker can easily access it.  As explained in the post, any third party app with permission to access device file system can steal the token remotely. The experts have also published a Video POC on Youtube demonstrating the reported vulnerability in VOIP app VIBER for iOS.

Researchers at MetaIntell has identified that 71 of the top 100 free iOS apps use the Facebook SDK so they are affected by the vulnerability, impacting the over 1.2 billion downloads of these apps. Analyzing the situation for Android OS it is possible to discover also a worrying  situation, of the top 100 Android apps, 31 utilize the Facebook SDK and therefore make vulnerable the over 100 billion downloads of these apps.
“It’s difficult to quantify the pervasiveness of this problem as not all iOS and Android apps utilize the Facebook SDK,” “However, from our analysis, the SDK is widely used and given the type vulnerability, represents a substantial threat as it opens the door to imparting substantial damage to the reputations and brands of both individuals and organizations.”stated Chilik Tamir, chief architect, research and development for MetaIntell, identified and duly named this flaw in both the Facebook SDK for iOS and Facebook SDK for Android. 
MetaIntell company has informed the Facebook Security team, but it seems that Facebook hasn’t planned yet the distribution of a security update to fix the flaw.

I followed up with our Platform team to see if there were any changes they wanted to make here: – On the Android side we‘ve concluded that we will not be making any changes: we are comfortable with the level of security provided by the Android OS. – On the iOS side the team is exploring the possibility of moving the access token storage to the keychain in order to comply with best practices.” Facebook replied to MetaIntell after vulnerability report.

Waiting for a security update, it is suggested to Mobile app users to do not use ‘Facebook Login’ option within Mobile apps and disallow apps to use their Facebook login.

Pierluigi Paganini

(Security Affairs –  Facebook SDK, mobile)