Facebook SDK flaw exposes smartphone users’ accounts at risk

Experts from MetaIntell have discovered a critical vulnerability in the latest version of Facebook SDK which exposes millions of Facebook accounts at risk.

Security experts¬†from MetaIntell have¬†discovered¬†a significant security vulnerability in the latest version of Facebook SDK, which affects numerous iOS and Android apps exposing millions of Facebook user’s Authentication Tokens at risk. The researchers dubbed the¬†vulnerability¬†‚ÄúSocial Login Session Hijacking,‚ÄĚ, it could be used by an attacker to access victim‚Äôs Facebook account information using access token and¬†session hijacking method.

MetaIntell, the leader in intelligent led Mobile Risk Management (MRM), announced today that it has uncovered a significant security vulnerability in the Facebook SDK (V3.15.0) for both¬†iOS¬†and¬†Android. Dubbed Social Login Session Hijacking, when exploited this vulnerability allows an attacker access to a user‚Äôs Facebook account using a session hijacking method that leverages the Facebook Access Token (FAT).” reports MetaIntell in the blog post.

The Facebook SDK allows the easy integration of mobile apps with Facebook platform, in particular to implement¬†Login with Facebook¬†authentication¬†and reading and writing to Facebook APIs. The “Login as Facebook” authentication mechanism is the Facebook implementation of the open standard for authorization¬†OAuth¬†which¬†provides client applications a ‘secure delegated access’ to resources on behalf of a resource owner.

Through “Login as Facebook”¬†mechanism users can sign into 3rd party apps without sharing their passwords, once they approve the¬†permissions¬†as requested by the application, the Facebook SDK implements the OAuth 2.0 User-Agent flow in order to gain the access token. The access token is used by mobile apps to invoke Facebook SDK APIs to read, modify or write user’s Facebook data on their behalf.
Facebook SDK 2
As explained by the experts, once the¬†app has successfully authenticated¬†with¬†Facebook, a local session token is cached and used to authenticate future sessions. The insecure management of this session token exposes users to serious risks if user’s apps are using the Facebook SDK for user authentication.
Facebook SDK Library stores the session token in an unencrypted format on the device’s file system, an attacker can easily access it.  As explained in the post, any third party app with permission to access device file system can steal the token remotely. The experts have also published a Video POC on Youtube demonstrating the reported vulnerability in VOIP app VIBER for iOS.
Researchers at MetaIntell has identified that 71 of the top 100 free iOS apps use the Facebook SDK so they are affected by the vulnerability, impacting the over 1.2 billion downloads of these apps. Analyzing the situation for Android OS it is possible to discover also a worrying  situation, of the top 100 Android apps, 31 utilize the Facebook SDK and therefore make vulnerable the over 100 billion downloads of these apps.

‚ÄúIt‚Äôs difficult to quantify the pervasiveness of this problem as not all iOS and Android apps utilize the Facebook SDK,‚ÄĚ ‚ÄúHowever, from our analysis, the SDK is widely used and given the type vulnerability, represents a substantial threat as it opens the door to imparting substantial damage to the reputations and brands of both individuals and organizations.‚ÄĚstated¬†Chilik¬†Tamir, chief architect, research and development for¬†MetaIntell, identified and duly named this flaw in both the Facebook SDK for iOS and Facebook SDK for Android.¬†

MetaIntell¬†company has informed the¬†Facebook Security team, but it seems that Facebook hasn’t planned yet the distribution of a security update to fix the flaw.

‚ÄúI followed up with our Platform team to see if there were any changes they wanted to make here: – On the Android¬†side we‘ve concluded that we will not be making any changes: we are comfortable with the level of security provided by the Android OS. – On the iOS side the team is exploring the possibility of moving the access token storage to the¬†keychain¬†in order to comply with best practices.‚ÄĚ Facebook replied to MetaIntell after vulnerability¬†report.

Waiting for a security update, it is suggested to¬†Mobile app users to do not use ‚ÄėFacebook Login‚Äô option within Mobile apps and disallow apps to use their Facebook login.

Pierluigi Paganini

(Security Affairs¬†‚Äď ¬†Facebook SDK,¬†mobile)

Share this information