Facebook SDK flaw exposes smartphone users’ accounts at risk

July 5, 2014  By Pierluigi Paganini


Experts from MetaIntell have discovered a critical vulnerability in the latest version of Facebook SDK which exposes millions of Facebook accounts at risk.

Security experts from MetaIntell have discovered a significant security vulnerability in the latest version of Facebook SDK, which affects numerous iOS and Android apps exposing millions of Facebook user’s Authentication Tokens at risk. The researchers dubbed the vulnerability “Social Login Session Hijacking,”, it could be used by an attacker to access victim’s Facebook account information using access token and session hijacking method.
MetaIntell, the leader in intelligent led Mobile Risk Management (MRM), announced today that it has uncovered a significant security vulnerability in the Facebook SDK (V3.15.0) for both iOS and Android. Dubbed Social Login Session Hijacking, when exploited this vulnerability allows an attacker access to a user’s Facebook account using a session hijacking method that leverages the Facebook Access Token (FAT).” reports MetaIntell in the blog post.

The Facebook SDK allows the easy integration of mobile apps with Facebook platform, in particular to implement Login with Facebook authentication and reading and writing to Facebook APIs. The “Login as Facebook” authentication mechanism is the Facebook implementation of the open standard for authorization OAuth which provides client applications a ‘secure delegated access’ to resources on behalf of a resource owner.

Through “Login as Facebook” mechanism users can sign into 3rd party apps without sharing their passwords, once they approve the permissions as requested by the application, the Facebook SDK implements the OAuth 2.0 User-Agent flow in order to gain the access token. The access token is used by mobile apps to invoke Facebook SDK APIs to read, modify or write user’s Facebook data on their behalf.
Facebook SDK 2
As explained by the experts, once the app has successfully authenticated with Facebook, a local session token is cached and used to authenticate future sessions. The insecure management of this session token exposes users to serious risks if user’s apps are using the Facebook SDK for user authentication.
Facebook SDK Library stores the session token in an unencrypted format on the device’s file system, an attacker can easily access it.  As explained in the post, any third party app with permission to access device file system can steal the token remotely. The experts have also published a Video POC on Youtube demonstrating the reported vulnerability in VOIP app VIBER for iOS.

Researchers at MetaIntell has identified that 71 of the top 100 free iOS apps use the Facebook SDK so they are affected by the vulnerability, impacting the over 1.2 billion downloads of these apps. Analyzing the situation for Android OS it is possible to discover also a worrying  situation, of the top 100 Android apps, 31 utilize the Facebook SDK and therefore make vulnerable the over 100 billion downloads of these apps.
“It’s difficult to quantify the pervasiveness of this problem as not all iOS and Android apps utilize the Facebook SDK,” “However, from our analysis, the SDK is widely used and given the type vulnerability, represents a substantial threat as it opens the door to imparting substantial damage to the reputations and brands of both individuals and organizations.”stated Chilik Tamir, chief architect, research and development for MetaIntell, identified and duly named this flaw in both the Facebook SDK for iOS and Facebook SDK for Android. 
MetaIntell company has informed the Facebook Security team, but it seems that Facebook hasn’t planned yet the distribution of a security update to fix the flaw.

I followed up with our Platform team to see if there were any changes they wanted to make here: – On the Android side we‘ve concluded that we will not be making any changes: we are comfortable with the level of security provided by the Android OS. – On the iOS side the team is exploring the possibility of moving the access token storage to the keychain in order to comply with best practices.” Facebook replied to MetaIntell after vulnerability report.

Waiting for a security update, it is suggested to Mobile app users to do not use ‘Facebook Login’ option within Mobile apps and disallow apps to use their Facebook login.

Pierluigi Paganini

(Security Affairs –  Facebook SDK, mobile)



Pierluigi Paganini
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.





You might also like







More Story

Implications of the crisis in Iraq in the cyberspace

 Security Experts at Intelligence firm InterCrawler have analyzed the effect of the crisis in Iraq on the malicious activities...