Facebook SDK Vulnerability Puts Millions of Smartphone Users' Accounts at Risk

Security researchers from MetaIntell, the leader in intelligent led Mobile Risk Management (MRM), have discovered a major security vulnerability in the latest version of Facebook SDK that put millions of Facebook user's Authentication Tokens at risk.

Facebook SDK for Android and iOS is the easiest way to integrate mobile apps with Facebook platform, which provides support for Login with Facebook authentication, reading and writing to Facebook APIs and many more.

Facebook OAuth authentication or ‘Login as Facebook’ mechanism is a personalized and secure way for users to sign into 3rd party apps without sharing their passwords. After the user approves the permissions as requested by the application, the Facebook SDK implements the OAuth 2.0 User-Agent flow to retrieve the secret user’s access token required by the apps to call Facebook APIs to read, modify or write user's Facebook data on their behalf.

ACCESSING UNENCRYPTED ACCESS TOKEN

It is important that your secret token is never shared with anyone, but researchers found that Facebook SDK Library stores it in an unencrypted format on the device’s file system, which can be accessed easily even on a non-rooted Android or jailed iOS Device.

“With just 5 seconds of USB connectivity, Access token is available on iOS via juice jacking attack, no jailbreak needed and on Android file system, it can be accessed via recovery mode which is tricker and require more time.” Chilik Tamir, Chief architect for MetaIntell told The Hacker News.

THREAT FROM OTHER APPS

Moreover, any 3rd party smartphone application with permission to access device file system can read this file and able to steal users’ Facebook access tokens remotely, he said.

Researchers dubbed the vulnerability as “Social Login Session Hijacking.”. Once exploited, could allow an attacker to access victim’s Facebook account information using access token and session hijacking method.

VIDEO DEMONSTRATION: STEALING FACEBOOK TOKEN FROM VIBER

Researchers published a Youtube video, demonstrating the reported vulnerability in one of the most popular messaging application ‘VIBER’ for iOS.