Security experts at MetaIntell have discovered a critical vulnerability in the latest version of Facebook Software Development Kit (SDK).  This critical flaw  can expose millions of Facebook accounts at risk from potential hackers.  The security vulnerability discovered by MetaIntell affects hundreds of iOS and Android Apps which accept Facebook Login and exposes millions of Facebook user’s Authentication Tokens at severe risk. MetaIntell has named this vulnerability  “Social Login Session Hijacking,”, and said that it could be used by a potential hacker to access victim’s Facebook account information using access token and session hijacking method.

New Facebook SDK vulnerability discovered by Metaintell, millions of Facebook accounts at risk through hundreds of iOS and Android Apps security tokens hijacking
“MetaIntell, the leader in intelligent led Mobile Risk Management (MRM), announced today that it has uncovered a significant security vulnerability in the Facebook SDK (V3.15.0) for both iOS and Android. Dubbed Social Login Session Hijacking, when exploited this vulnerability allows an attacker access to a user’s Facebook account using a session hijacking method that leverages the Facebook Access Token (FAT).” reports MetaIntell in the blog post.

For the uninitiated the Facebook SDK allows the easy integration of mobile Apps with Facebook platform, in particular to implement Login with Facebook authentication and reading and writing to Facebook APIs.  This method helps both the developers and users. The developers can have a one stop login for their App and a global leaderboard by integreting the Facebook API while the user doesnt have to register again and again for every new App.  The user can also invite his friends for the App or compete on the Global leaderboard. The process of “Login as Facebook” authenticatio in the Facebook is a implementation of the open standard for authorization OAuth which provides client applications a ‘secure delegated access’ to resources on behalf of a resource owner.

Through “Login as Facebook” mechanism users can sign into the 100s of third party iOS and Android Apps without the requirement of registering or sharing their passwords.  Once they approve the permission like ‘Let the App read your FB Profile’  requested by the particular App, the Facebook SDK implements the OAuth 2.0 User-Agent flow in order to gain the access token. The access token is used by mobile Apps to invoke Facebook SDK APIs to read, modify or write user’s Facebook data on their behalf.

Once the App is successfully authenticated with Facebook, a local session token is cached and used to authenticate all future sessions of that particular App erasing the need for the user to login again and again.  However this very cached session token seems to be vulnerable in the new Facebook SDK. The insecure management of this session token exposes users to serious risks if user’s apps are using the Facebook SDK for user authentication.

According the researchers at MetaIntell, Facebook SDK Library stores the session token in an unencrypted format on the device’s file system.  A hacker can easily access this SDK Library and gain unwanted access to the Facebook users credentials and other personal data. MetaIntell has published a YouTube video with the POC detailing how they used this particular vulnerability in the iOS VOIP App Viber on a iPhone. The video clearly demonstrate that any third party App with permission to access device file system can be used to steal the token remotely. 



Researchers at MetaIntell say that as many as 71 of the top 100 free iOS apps use the Facebook SDK.  These 71 Apps which have a collective 1.2 billion download are thus at risk from a potential hacker using this vulnerability.  For Android, MetaIntell says that 31 of the top 100 Android Apps use the Facebook SDK for login, and have over 100 billion collective downloads from users across the Globe.  This makes the vulnerability in the Facebook SDK a potential leaker of 102 billion users world wide, in the wrong hands.

“It’s difficult to quantify the pervasiveness of this problem as not all iOS and Android apps utilize the Facebook SDK,” “However, from our analysis, the SDK is widely used and given the type vulnerability, represents a substantial threat as it opens the door to imparting substantial damage to the reputations and brands of both individuals and organizations.”stated Chilik Tamir, chief architect, research and development for MetaIntell who has identified and named this this flaw in both the Facebook SDK for iOS and Facebook SDK for Android. 

MetaIntell said that it had informed Facebook security team regarding the above vulnerability but MetaIntell says that Facebook doesnt have any security fix for the flaw in pipeline.  If you are using any App which requires Facebook login, it will be wise to avoid the Facebook login till Facebook issues a patch for this high risk vulnerability.

The author can be reached @comboupdates

2 COMMENTS

LEAVE A REPLY

Please enter your comment!
Please enter your name here