Facebook users again under risk. Recently a new security vulnerability found in Facbook application for iOS & Facebook application for Android. Researcher app developer Gareth Wright, who discovered the issue, said it comes down to Facebook’s
native apps for the two platforms not encrypting your login
credentials, meaning they can be easily swiped over a USB connection,
or more likely, via malicious apps.
Facebook has responded that this issue only applies to compromised or jailbroken
devices. Means if you are using a jailbroken iOS device or a rooted
Android device then your identity can easily be theft. Wright copied the
hash and tested a few FQL queries. "Sure enough, I could pull back
pretty much any information from my Facebook account. As of the 1st of
May 2012 these tokens run out after 60 days but aside from that a simple
.Net tool could easily snaffle this info and grab a fair whack of
confirmed email addresses and marketing info.
“Not good, but then I had to wonder what the Facebook app stored. Popping into the Facebook application directory I quickly discovered a whole bunch of cached images and the com.Facebook.plist. “What was contained within was shocking. Not an access token but full oAuth key and secret in plain text. Surely though, these are encrypted or salted with the device ID. Worryingly, the expiry in the plist is set to 1 Jan 4001!"
“Not good, but then I had to wonder what the Facebook app stored. Popping into the Facebook application directory I quickly discovered a whole bunch of cached images and the com.Facebook.plist. “What was contained within was shocking. Not an access token but full oAuth key and secret in plain text. Surely though, these are encrypted or salted with the device ID. Worryingly, the expiry in the plist is set to 1 Jan 4001!"
“Facebook’s
iOS and Android applications are only intended for use with the
manufacture provided operating system, and access tokens are only
vulnerable if they have modified their mobile OS (i.e. jailbroken iOS or
modded Android) or have granted a malicious actor access to the
physical device,” a Facebook spokesperson said in a statement. “We
develop and test our application on an unmodified version of mobile
operating systems and rely on the native protections as a foundation for
development, deployment and security, all of which is compromised on a
jailbroken device. As Apple states, ‘unauthorized modification of iOS
could allow hackers to steal personal information … or introduce malware
or viruses.’ To protect themselves we recommend all users abstain from
modifying their mobile OS to prevent any application instability or
security issues.”
As for the USB connection scenario, Facebook says there’s no way to fix this problem. Note that in this case it doesn’t matter if your device is jailbroken or not, because whoever is doing the deed has physical access to your phone or tablet.
As for the USB connection scenario, Facebook says there’s no way to fix this problem. Note that in this case it doesn’t matter if your device is jailbroken or not, because whoever is doing the deed has physical access to your phone or tablet.
0 komentar:
Posting Komentar