From MetaIntell the smartphone leadership risk management（MRM）security researchers, found a latest version of Facebook SDK vulnerability in the vulnerability exposes millions of Facebook user's authentication token, it still sounds very scary.
Facebook for Android and IOS SDK provides the use of authentication log on Facebook, read and write to the Facebook API and other many simple ways.
Facebook OAuth authentication or say“Facebook account”login mechanism, provides a method of requiring the user to enter a user name or password to the third-party apps directly on the login of a personalized and secure manner. Faceook SDK by implementing OAuth2. 0 user-agent flow to get the application access token, enabling the use of Facebook API to implement the Read, modify or write user's Facebook data.
Accessing unencrypted access token
The user's private Secret access token should never be shared with anyone. But surprisingly, the researchers found that Facebook SDK library directly to the token in clear text format stored on the device, anyone can easily get the Android or IOS encrypt the token, and completely does not require root or jailbreak, me and my little friends are shocked!
“On a single IOS device, plug in the USB after, only need 5 seconds, you can via juice jacking attack to obtain the access token.” MetaIntell chief architect of Chilik Tamir, told reporters.
From other programs of the threat
He also said, in addition, we on the phone for any is given read file system permissions of the app are able to remotely access or stealing the user's Facebook access token.
The researchers dubbed the vulnerability“social login session hijacking.” The vulnerability once exploited, allows an attacker with an access token and session hijacking method to access the victim's Facebook account information.
Researchers on youtube posted a video, the video shows researchers how by the IOS version of Viber exploit this vulnerability. Very obvious, Viber use Facebook OAuth authentication to login.