discovered a major security vulnerability in the latest version of Facebook SDK that put millions of Facebook user's Authentication Tokens at risk.
Facebook SDK for Android and iOS is the easiest way to integrate mobile apps with Facebook platform, which provides support for Login with Facebook authentication, reading and writing to Facebook APIs and many more.
Facebook OAuth authentication or 'Login as Facebook' mechanism is a personalized and secure way for users to sign into 3rd party apps without sharing their passwords. After the user approves the permissions as requested by the application, the Facebook SDK implements the OAuth 2.0 User-Agent flow to retrieve the secret user's access token required by the apps to call Facebook APIs to read, modify or write user's Facebook data on their behalf.
Learn Insider Threat Detection with Application Response Strategies
Discover how application detection, response, and automated behavior modeling can revolutionize your defense against insider threats.Join Now
ACCESSING UNENCRYPTED ACCESS TOKEN
It is important that your secret token is never shared with anyone, but researchers found that Facebook SDK Library stores it in an unencrypted format on the device's file system, which can be accessed easily even on a non-rooted Android or jailed iOS Device.
"With just 5 seconds of USB connectivity, Access token is available on iOS via juice jacking attack, no jailbreak needed and on Android file system, it can be accessed via recovery mode which is tricker and require more time." Chilik Tamir, Chief architect for MetaIntell told The Hacker News.
THREAT FROM OTHER APPS
Moreover, any 3rd party smartphone application with permission to access device file system can read this file and able to steal users' Facebook access tokens remotely, he said.
Researchers dubbed the vulnerability as "Social Login Session Hijacking.". Once exploited, could allow an attacker to access victim's Facebook account information using access token and session hijacking method.
VIDEO DEMONSTRATION: STEALING FACEBOOK TOKEN FROM VIBER
Researchers published a Youtube video, demonstrating the reported vulnerability in one of the most popular messaging application 'VIBER' for iOS.
All those iOS and Android apps are vulnerable to this attack, who are using Facebook SDK for app login and storing users unencrypted access token on the device, Chilik Tamir told The Hacker News in an email.
"MetaIntell has identified that 71 of the top 100 free iOS apps use the Facebook SDK and are vulnerable, impacting the over 1.2 billion downloads of these apps. Of the top 100 Android apps, 31 utilize the Facebook SDK and therefore make vulnerable the over 100 billion downloads of these apps." researcher said in a blog post.
PASSIVE RESPONSE FROM FACEBOOK SECURITY TEAM
MetaIntell team has already informed Facebook Security team about the vulnerability, but it seems that Facebook is not in any mood to update their SDK with a fix.
"I followed up with our Platform team to see if there were any changes they wanted to make here: - On the Android side we've concluded that we will not be making any changes: we are comfortable with the level of security provided by the Android OS. - On the iOS side the team is exploring the possibility of moving the access token storage to the keychain in order to comply with best practices." Facebook replied to MetaIntell after bug report.
WHAT TO DO?
Mobile app users are advised to do not use 'Facebook Login' option within Mobile apps and disallow apps to use their Facebook login. App Developers are recommended to move their users' access tokens from device file system to secure online storage with encrypted channel.