The Hacker News Logo
Subscribe to Newsletter

The Hacker News - Cybersecurity News and Analysis: Facebook Apps

Is Facebook Secretly Accessing Your iPhone's Camera? Some Users Claimed

Is Facebook Secretly Accessing Your iPhone's Camera? Some Users Claimed
November 12, 2019Wang Wei
It appears that Facebook at the center of yet another issue involving privacy. Reportedly, multiple iPhone users have come forward on social media complaining that the Facebook app secretly activates their smartphone's camera in the background while they scroll through their Facebook feeds or looking at the photos on the social network. As shown in the Twitter videos below, when users click on an image or video on the social media to full screen and then return it back to normal, an issue with the Facebook app for iOS slightly shifts the app to the right. It opens a space on the left from where users can see the iPhone's camera activated in the background. However, at this moment, it's not clear if it's just an UI bug where Facebook app incorrectly but only accesses the camera interface, or if it also records or uploads something, which, if proven right, would be the most disastrous moment in Facebook's history. Found a @facebook #security & #pri

Facebook Now Pays Hackers for Reporting Security Bugs in 3rd-Party Apps

Facebook Now Pays Hackers for Reporting Security Bugs in 3rd-Party Apps
October 16, 2019Mohit Kumar
Following a series of security mishaps and data abuse through its social media platform, Facebook today expanding its bug bounty program in a very unique way to beef up the security of third-party apps and websites that integrate with its platform. Last year, Facebook launched " Data Abuse Bounty " program to reward anyone who reports valid events of 3rd-party apps collecting Facebook users' data and passing it off to malicious parties, violating Facebook's revamped data policies. Apparently, it turns out that most of the time, Facebook users' data that had been misused was exposed in the first place as the result of a vulnerability or security weakness in third-party apps or services. The Facebook ecosystem contains millions of third-party apps, and unfortunately, very few of them have a vulnerability disclosure program or offer bug bounty rewards to white-hat hackers for responsibly reporting bugs in their codebase. Because of this communication g

Viral FaceApp Unnecessarily Requests Access to Users' Facebook Friends List

Viral FaceApp Unnecessarily Requests Access to Users' Facebook Friends List
July 29, 2019Mohit Kumar
FaceApp—the AI-powered photo-morphing app that recently gone viral for its age filter but hit the headlines for its controversial privacy policy—has been found collecting the list of your Facebook friends for no reason. The Russian-made FaceApp has been around since the spring of 2017 but taken social media by storm over the course of the past few weeks as millions of people downloaded the app to see how they would look when they are older or younger, or swap genders. The app also contains a feature that allows users to download and edit photos from their Facebook accounts, which only works when a user enables FaceApp to access the social media account via the 'Login with Facebook' option. As you can see in the screenshot above, besides requesting for access to your basic profile information and photos, FaceApp also fetches the list of your Facebook friends "who also use and have shared their friends' lists with FaceApp." Have you yet asked yourself why

Facebook Agrees to Pay $5 Billion Fine and Setup New Privacy Program for 20 Years

Facebook Agrees to Pay $5 Billion Fine and Setup New Privacy Program for 20 Years
July 24, 2019Mohit Kumar
The Federal Trade Commission (FTC) today officially confirmed that Facebook has agreed to pay a record-breaking $5 billion fine over privacy violations surrounding the Cambridge Analytica scandal . Besides the multibillion-dollar penalty, the company has also accepted a 20-year-long agreement that enforces it to implement a new organizational framework designed to strengthen its data privacy practices and policies. The agreement requires Facebook to make some major structural changes, as explained below, that will hold the company accountable for the decisions it makes about its users' privacy and information it collects on them. "The order requires Facebook to restructure its approach to privacy from the corporate board-level down, and establishes strong new mechanisms to ensure that Facebook executives are accountable for the decisions they make about privacy and that those decisions are subject to meaningful oversight," the FTC said in a press release . Ac

540 Million Facebook User Records Found On Unprotected Amazon Servers

540 Million Facebook User Records Found On Unprotected Amazon Servers
April 03, 2019Mohit Kumar
It's been a bad week for Facebook users. First, the social media company was caught asking some of its new users to share passwords for their registered email accounts and now… ...the bad week gets worse with a new privacy breach. More than half a billion records of millions of Facebook users have been found exposed on unprotected Amazon cloud servers. The exposed datasets do not directly come from Facebook; instead, they were collected and unsecurely stored online by third-party Facebook app developers. Researchers at the cybersecurity firm UpGuard today revealed that they discovered two datasets—one from a Mexican media company called Cultura Colectiva and another from a Facebook-integrated app called "At the pool"—both left publicly accessible on the Internet. More than 146 GB of data collected by Cultura Colectiva contains over 540 million Facebook user records, including comments, likes, reactions, account names, Facebook user IDs, and more. The

New Facebook Bug Exposed 6.8 Million Users Photos to Third-Party Apps

New Facebook Bug Exposed 6.8 Million Users Photos to Third-Party Apps
December 14, 2018Mohit Kumar
Facebook's latest screw-up — a programming bug in Facebook website accidentally gave 1,500 third-party apps access to the unposted Facebook photos of as many as 6.8 million users. Facebook today quietly announced that it discovered a new API bug in its photo-sharing system that let 876 developers access users' private photos which they never shared on their timeline, including images uploaded to Marketplace or Facebook Stories. "When someone gives permission for an app to access their photos on Facebook, we usually only grant the app access to photos people share on their timeline. In this case, the bug potentially gave developers access to other photos, such as those shared on Marketplace or Facebook Stories," Facebook said. What's worse? The bug even exposed photos that people uploaded to Facebook but chose not to post or didn't finish posting it for some reason. The flaw left users' private data exposed for 12 days, between September 13th an

Facebook Finds 'No Evidence' Hackers Accessed Connected Third-Party Apps

Facebook Finds 'No Evidence' Hackers Accessed Connected Third-Party Apps
October 03, 2018Swati Khandelwal
When Facebook last weekend disclosed a massive data breach—that compromised access tokens for more than 50 million accounts —many feared that the stolen tokens could have been used to access other third-party services, including Instagram and Tinder, through Facebook login. Good news is that Facebook found no evidence "so far" that proves such claims. In a blog post published Tuesday, Facebook security VP Guy Rosen revealed that investigators "found no evidence" of hackers accessing third-party apps with its "Login with Facebook" feature. "We have now analyzed our logs for all third-party apps installed or logged in during the attack we discovered last week. That investigation has so far found no evidence that the attackers accessed any apps using Facebook Login," Rosen says. This does not mean that the stolen access tokens that had already been revoked by Facebook do not pose any threat to thousands of third-party services using Face

Reminder—Third Party Gmail Apps Can Read Your Emails, "Allow" Carefully!

Reminder—Third Party Gmail Apps Can Read Your Emails, "Allow" Carefully!
July 03, 2018Mohit Kumar
Reminder—If you've forgotten about any Google app after using it once a few years ago, be careful, it may still have access to your private emails. When it comes to privacy on social media, we usually point fingers at Facebook for enabling third-party app developers to access users personal information—even with users' consent. But Facebook is not alone. Google also has a ton of information about you and this massive pool of data can be accessed by third-party apps you connect to, using its single sign-on service. Though Google has much stricter privacy policies about what developers can do with your data, the company still enables them to ask for complete access of your Google account, including the content of your emails and contacts. The entire Facebook's  Cambridge Analytica privacy saga highlights how crucial it is to keep track of the apps you have connected to your social media accounts and permitted to access your data. Last year, Google itself prom

Another Facebook Quiz App Left 120 Million Users' Data Exposed

Another Facebook Quiz App Left 120 Million Users' Data Exposed
June 28, 2018Swati Khandelwal
People are still getting over the most controversial data scandal of the year, i.e., Cambridge Analytica scandal , and Facebook is under fire yet again after it emerges that a popular quiz app on the social media platform exposed the private data of up to 120 million users for years. Facebook was in controversies earlier this year over a quiz app that sold data of 87 million users to a political consultancy firm, who reportedly helped Donald Trump win the US presidency in 2016. Now, a different third-party quiz app, called NameTests, found exposing data of up to 120 million Facebook users to anyone who happened to find it, an ethical hacker revealed. NameTests[.]com, the website behind popular social quizzes, like "Which Disney Princess Are You?" that has around 120 million monthly users, uses Facebook's app platform to offer a fast way to sign up. Just like any other Facebook app, signing up on the NameTests website using their app allows the company to fetch neces

Facebook and Cambridge Analytica – What's Happened So Far

Facebook and Cambridge Analytica – What's Happened So Far
March 23, 2018Swati Khandelwal
Top Story— Facebook has just lost over $60 billion in market value over the past two days—that's more than Tesla's entire market capitalisation and almost three times that of Snapchat. Facebook shares plunge over revelations that personal data of 50 million users was obtained and misused by British data analytics firm ' Cambridge Analytica ,' who reportedly helped Donald Trump win the US presidency in 2016. The privacy scandal that rocked the social media giant was revealed earlier this week when Chris Wylie , the 28-year-old data scientist who worked with a Cambridge University academic, turned into a whistleblower and leaked to the newspapers how poorly Facebook handles people's private information. Wylie claims Cambridge Analytica created " Steve Bannon's psychological warfare mindf**k tool " that profiles citizens to predict their voting patterns based on the personal information gathered from a variety of sources and then helps political

Have you ever suspected that Facebook is listening to your conversations through Microphone?

Have you ever suspected that Facebook is listening to your conversations through Microphone?
June 03, 2016Mohit Kumar
Have you ever felt Facebook is showing you very relevant ads about topics you're only discussing around your phone? If yes, then you may find this news worth reading. Communications Professor Kelli Burns from the University of South Florida claims that Facebook is listening to all conversations people have while its app is open to serve more relevant ads for products related to what they are talking about. However, the social networking giant responds  it does listen to audio and collect information from users, but does not record or use sounds heard around people for targeted ads. " Facebook does not use microphone audio to inform advertising or News Feed stories in any way ," a Facebook spokesperson said. " Businesses are able to serve relevant ads based on people's interests and other demographic information, but not through audio collection. " Facebook rolled out a feature in May of 2014 when the company said that it might target ads " in t

Warning — Facebook Color Changer App is Just a Scam, Infects 10000 Users

Warning — Facebook Color Changer App is Just a Scam, Infects 10000 Users
August 09, 2014Swati Khandelwal
Scammers have again targeted more than one billion active users of the popular social networking giant Facebook, to infect as many victims as possible. This time, an old Facebook scam is back in action once again! Malicious Facebook "Color Changer" app has resurfaced again on the popular social networking site Facebook, this time compromising more than 10,000 people worldwide. The malicious app promises users to change the characteristic blue colour of Facebook's header and interface to one of nine other colours including pink, purple, green, yellow, orange and black, in order to infect users' phones and computers with malicious software. Researchers at China-based Internet company Cheetah Mobile have detected the " Facebook colour changer " that tricks Facebook users into downloading the app via a malicious phishing site. The phishing website targets users in two ways: First of all, it steals the users' Facebook Access Tokens by asking them

Facebook's Internet.Org App Offers Free Internet in Zambia

Facebook's Internet.Org App Offers Free Internet in Zambia
July 31, 2014Mohit Kumar
Earlier this month, the founder of the Social Networking giant highlighted the future of universal Internet access, the dream that Facebook founder Mark Zuckerberg wants to fulfil, in an effort to make Internet access available to everyone across the world just like a service as essential as of 911 in the case of an emergency. Dream comes true! Facebook Inc. (FB) in partnership with Bharti Airtel Ltd. (BHARTI) of India today launches its first Android and web application with free data access to a wide range of services, according to Guy Rosen, a product management director at Facebook. This new offering from Facebook is launching in Zambia before coming to other developing countries eventually, and provided through a mobile application known as Internet.org , named after a project developed by the world's biggest social networking site to expand Internet access to the developing world. "Right now, only 15% of people in Zambia have access to the internet, Zuckerberg s

Facebook SDK Vulnerability Puts Millions of Smartphone Users' Accounts at Risk

Facebook SDK Vulnerability Puts Millions of Smartphone Users' Accounts at Risk
July 03, 2014Mohit Kumar
Security researchers from MetaIntell, the leader in intelligent led Mobile Risk Management (MRM), have discovered a major security vulnerability in the latest version of Facebook SDK that put millions of Facebook user's Authentication Tokens at risk. Facebook SDK for Android and iOS is the easiest way to integrate mobile apps with Facebook platform, which provides support for Login with Facebook authentication, reading and writing to Facebook APIs and many more. Facebook OAuth authentication or ' Login as Facebook ' mechanism is a personalized and secure way for users to sign into 3rd party apps without sharing their passwords. After the user approves the permissions as requested by the application, the Facebook SDK implements the OAuth 2.0 User-Agent flow to retrieve the secret user's access token required by the apps to call Facebook APIs to read, modify or write user's Facebook data on their behalf. ACCESSING UNENCRYPTED ACCESS TOKEN It is important that

Facebook Introduces Anonymous Login to Limit Third-party App Permissions

Facebook Introduces Anonymous Login to Limit Third-party App Permissions
May 01, 2014Swati Khandelwal
We're comfortable in sharing information with our Facebook friends, but it is quite sneaky for Facebook users to offer their Identities and credentials when logging in to third-party apps , they don't trust. To deal with this issue, the social network giant has plans to improve the way users login to the third party apps with more privacy controls on the web as well as mobile devices. ANONYMOUS LOGIN At Facebook's F8 developer conference in San Francisco on Wednesday, Keynote speaker - Chief Executive Mark Zuckerberg announced the new Facebook's login tool, " Anonymous Login " that would let users sign into apps and websites anonymously without sharing their personal information-Biggest news for Facebook users. " Today, we want to do more to put control and power back into people's hands, " Zuckerberg said at the conference. " Up until now, your friends have been able to share your data via using apps. Now we're changing this, so every

Facebook Hacking, technique to Spoof the content of any Facebook App

Facebook Hacking, technique to Spoof the content of any Facebook App
May 16, 2013Mohit Kumar
There are many unpatched loopholes or flaws in Facebook website, that allow hackers to inject external links or images to a wall, hijacking any facebook account or bypassing your social privacy . Today we are going to report about another unfixed facebook app vulnerability that allow a hacker to spoof the content of any Facebook app  easily. Nir Goldshlager from Break Security today exposed another major flaw that allows hacker to wall post spoofed messages from trusted applications like Saavn, Candy Crush, Spotify, Pinterest, or really any other application on Facebook. In 2012 Facebook's method of publishing called stream.publish and the  Stream Publish Dialog looks like the following:  https://www.facebook.com/dialog/stream.publish?app_id=xxxx&redirect_uri=https://www.facebook.com/&action_links=&attachment=%7B%27media%27:%20[%7B%27type%27:%20%27flash%27,%27swfsrc%27:%27https://files.nirgoldshlager.com/goldshlager2.swf%27,%27imgsrc%27:%27https://w
Exclusive Offers

Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.