Experts from MetaIntell have discovered a critical vulnerability in the latest version of Facebook SDK which exposes millions of Facebook accounts at risk.
“MetaIntell, the leader in intelligent led Mobile Risk Management (MRM), announced today that it has uncovered a significant security vulnerability in the Facebook SDK (V3.15.0) for both iOS and Android. Dubbed Social Login Session Hijacking, when exploited this vulnerability allows an attacker access to a user’s Facebook account using a session hijacking method that leverages the Facebook Access Token (FAT).” reports MetaIntell in the blog post.
The Facebook SDK allows the easy integration of mobile apps with Facebook platform, in particular to implement Login with Facebook authentication and reading and writing to Facebook APIs. The “Login as Facebook” authentication mechanism is the Facebook implementation of the open standard for authorization OAuth which provides client applications a ‘secure delegated access’ to resources on behalf of a resource owner.
“It’s difficult to quantify the pervasiveness of this problem as not all iOS and Android apps utilize the Facebook SDK,” “However, from our analysis, the SDK is widely used and given the type vulnerability, represents a substantial threat as it opens the door to imparting substantial damage to the reputations and brands of both individuals and organizations.”stated Chilik Tamir, chief architect, research and development for MetaIntell, identified and duly named this flaw in both the Facebook SDK for iOS and Facebook SDK for Android.
“I followed up with our Platform team to see if there were any changes they wanted to make here: – On the Android side we‘ve concluded that we will not be making any changes: we are comfortable with the level of security provided by the Android OS. – On the iOS side the team is exploring the possibility of moving the access token storage to the keychain in order to comply with best practices.” Facebook replied to MetaIntell after vulnerability report.
(Security Affairs – Facebook SDK, mobile)