Facebook SDK vulnerability threatening millions of mobile phone users accounts-vulnerability warning-the black bar safety net

ID MYHACK58:62201451349
Type myhack58
Reporter 佚名
Modified 2014-07-15T00:00:00


From MetaIntell the smartphone leadership risk management(MRM)security researchers, found a latest version of Facebook SDK vulnerability in the vulnerability exposes millions of Facebook user's authentication token, it still sounds very scary.


Facebook for Android and IOS SDK provides the use of authentication log on Facebook, read and write to the Facebook API and other many simple ways.

Facebook OAuth authentication or say“Facebook account”login mechanism, provides a method of requiring the user to enter a user name or password to the third-party apps directly on the login of a personalized and secure manner. Faceook SDK by implementing OAuth2. 0 user-agent flow to get the application access token, enabling the use of Facebook API to implement the Read, modify or write user's Facebook data.

Accessing unencrypted access token

The user's private Secret access token should never be shared with anyone. But surprisingly, the researchers found that Facebook SDK library directly to the token in clear text format stored on the device, anyone can easily get the Android or IOS encrypt the token, and completely does not require root or jailbreak, me and my little friends are shocked!

“On a single IOS device, plug in the USB after, only need 5 seconds, you can via juice jacking attack to obtain the access token.” MetaIntell chief architect of Chilik Tamir, told reporters.

From other programs of the threat

He also said, in addition, we on the phone for any is given read file system permissions of the app are able to remotely access or stealing the user's Facebook access token.

The researchers dubbed the vulnerability“social login session hijacking.” The vulnerability once exploited, allows an attacker with an access token and session hijacking method to access the victim's Facebook account information.

Video demo

Researchers on youtube posted a video, the video shows researchers how by the IOS version of Viber exploit this vulnerability. Very obvious, Viber use Facebook OAuth authentication to login.

[1] [2] next