Experts from MetaIntell have discovered a critical vulnerability in the latest version of Facebook SDK which exposes millions of Facebook accounts at risk.
Security experts from MetaIntell have discovered a significant security vulnerability in the latest version of Facebook SDK, which affects numerous iOS and Android apps exposing millions of Facebook user’s Authentication Tokens at risk. The researchers dubbed the vulnerability “Social Login Session Hijacking,”, it could be used by an attacker to access victim’s Facebook account information using access token and session hijacking method.
“MetaIntell, the leader in intelligent led Mobile Risk Management (MRM), announced today that it has uncovered a significant security vulnerability in the Facebook SDK (V3.15.0) for both iOS and Android. Dubbed Social Login Session Hijacking, when exploited this vulnerability allows an attacker access to a user’s Facebook account using a session hijacking method that leverages the Facebook Access Token (FAT).” reports MetaIntell in the blog post.
The Facebook SDK allows the easy integration of mobile apps with Facebook platform, in particular to implement Login with Facebook authentication and reading and writing to Facebook APIs. The “Login as Facebook” authentication mechanism is the Facebook implementation of the open standard for authorization OAuth which provides client applications a ‘secure delegated access’ to resources on behalf of a resource owner.
Through “Login as Facebook” mechanism users can sign into 3rd party apps without sharing their passwords, once they approve the permissions as requested by the application, the Facebook SDK implements the OAuth 2.0 User-Agent flow in order to gain the access token. The access token is used by mobile apps to invoke Facebook SDK APIs to read, modify or write user’s Facebook data on their behalf.
As explained by the experts, once the app has successfully authenticated with Facebook, a local session token is cached and used to authenticate future sessions. The insecure management of this session token exposes users to serious risks if user’s apps are using the Facebook SDK for user authentication.
Facebook SDK Library stores the session token in an unencrypted format on the device’s file system, an attacker can easily access it. As explained in the post, any third party app with permission to access device file system can steal the token remotely. The experts have also published a Video POC on Youtube demonstrating the reported vulnerability in VOIP app VIBER for iOS.
Researchers at MetaIntell has identified that 71 of the top 100 free iOS apps use the Facebook SDK so they are affected by the vulnerability, impacting the over 1.2 billion downloads of these apps. Analyzing the situation for Android OS it is possible to discover also a worrying situation, of the top 100 Android apps, 31 utilize the Facebook SDK and therefore make vulnerable the over 100 billion downloads of these apps.
“It’s difficult to quantify the pervasiveness of this problem as not all iOS and Android apps utilize the Facebook SDK,” “However, from our analysis, the SDK is widely used and given the type vulnerability, represents a substantial threat as it opens the door to imparting substantial damage to the reputations and brands of both individuals and organizations.”stated Chilik Tamir, chief architect, research and development for MetaIntell, identified and duly named this flaw in both the Facebook SDK for iOS and Facebook SDK for Android.
MetaIntell company has informed the Facebook Security team, but it seems that Facebook hasn’t planned yet the distribution of a security update to fix the flaw.
“I followed up with our Platform team to see if there were any changes they wanted to make here: – On the Android side we‘ve concluded that we will not be making any changes: we are comfortable with the level of security provided by the Android OS. – On the iOS side the team is exploring the possibility of moving the access token storage to the keychain in order to comply with best practices.” Facebook replied to MetaIntell after vulnerability report.
Waiting for a security update, it is suggested to Mobile app users to do not use ‘Facebook Login’ option within Mobile apps and disallow apps to use their Facebook login.