Security researchers have uncovered a new Facebook SDK vulnerability that puts millions of Facebook user’s authentication tokens at risk.
Facebook SDK for Android and iOS is an easy way to integrate mobile applications with the Facebook platform, which provides support for ‘Login with Facebook’ authentication, along with reading and writing to Facebook APIs and more.
Facebooks OAuth authentication known as “Login with Facebook” mechanism is a secure way for users to sign up or into 3rd party applications without sharing their Facebook password. Once users approve the requested permissions, the Facebook SDK pings the OAuth 2.0 user-agent flow to retrieve secret keys from the users Facebook account to call Facebook APIs to modify, read or write user’s Facebook data on their behalf.
How are unencrypted access tokens are being hijacked? To start, secret tokens are never shared with anyone, but researchers at MetaIntell found that the Facebook SDK library leaves these tokens in an unencrypted format on the on the device’s file system. File systems can be accessed on non-rooted Android smartphones and non-jailbroken iOS devices.
“With just 5 seconds of USB connectivity, Access token is available on iOS via juice jacking attack, no jailbreak needed and on Android file system, it can be accessed via recovery mode which is tricker and require more time.” Chilik Tamir, Chief architect at MetaIntell told researchers.
Not only is the token able to be hijacked by someone with access to the device, but other apps pose a threat too. 3rd party smartphone applications with select permissions are able to access the devices file system and could read the Facebook file and easily steal users Facebook access tokens remotely.
MetaIntell researchers dubbed the vulnerability, “Social Login Session Hijacking.” Once exploited, attackers have full access to victim’s Facebook account information via their access token using session hijacking method.
Researchers published a YouTube video demonstrating how an attacker could craft an attack and abuse the vulnerability through the popular messaging application ‘VIBER’ for iOS.
All of the the 3rd part applications in Android and iOS who are using the Facebook SDK for login and storing the unencrypted token on the device are vulnerable to the attack.
“MetaIntell has identified that 71 of the top 100 free iOS apps use the Facebook SDK and are vulnerable, impacting the over 1.2 billion downloads of these apps. Of the top 100 Android apps, 31 utilize the Facebook SDK and therefore make vulnerable the over 100 billion downloads of these apps.” researcher said in a blog post.
MetaIntell researchers contacted the Facebook security team regarding the vulnerability, but Facebook did not reply kindly or regard to fix the vulnerability.
“I followed up with our Platform team to see if there were any changes they wanted to make here: – On the Android side we’ve concluded that we will not be making any changes: we are comfortable with the level of security provided by the Android OS. – On the iOS side the team is exploring the possibility of moving the access token storage to the keychain in order to comply with best practices.” Facebook replied to MetaIntell after their initial bug report.
How to protect against the ‘Social Login Session Hijacking’ vulnerability
As Facebook does not seem to be in a rush to fix the vulnerability, mobile users are advised to not use the ‘Login with Facebook’ on any mobile applications and revoke any applications that are currently authenticated with it. For developers, it is recommended to store users’ Facebook access tokens away from the device file system and to a secure online storage with encrypted channels.