Mi3 SECURITY RESEARCH: FACEBOOK SESSION HIJACKING

 

MI3 SECURITY UNCOVERS SIGNIFICANT FACEBOOK VULNERABILITY IN THE FACEBOOK SDK AFFECTING NUMEROUS iOS AND ANDROID APPS AND POTENTIALLY BILLIONS OF INSTALLATIONS

 
From our analysis, the SDK is widely used and given the type Facebook vulnerability, represents a substantial threat as it opens the door to imparting substantial damage to the reputations and brands of both individuals and organizations
— Chilik Tamir, Chief Architect, Research and Development for Mi3 Security

FACEBOOK SESSION HIJACKING WALK THROUGH

DETAILS

The Facebook vulnerability was discovered by Mi3 Security using its cloud-based AppInterrogator™ platform and verified by the company’s security research team. AppInterrogator rapidly deconstructs mobile apps to intelligently identify risks and threats using dynamic data generated from Open Source Intelligence (OSINT), vulnerability, static and dynamic assessments. It is the only solution that identifies risks before and after app download and assigns a risk rating to offer users progressive protection. Through progressive, ongoing risk assessments, apps are evaluated for changes in risk posture.

The Facebook SDK is one of the most popular integrated libraries used by free and fee-based app developers for iOS and Android platforms. Specifically, Mi3 Security has identified that 71 of the top 100 free iOS apps use the Facebook SDK and are vulnerable, impacting the over 1.2 billion downloads of these apps. Of the top 100 Android apps, 31 utilize the Facebook SDK and therefore make vulnerable the over 100 billion downloads of these apps.

Vulnerable iOS and Android apps build on the Facebook SDK and leverage Facebook for user authentication. Once the app has successfully authenticated to Facebook, a local session token is cached and used to authenticate future sessions. The insecure storage of this session token is what places apps using the Facebook SDK for user authentication at risk of session hijacking.

Mi3 Security discovered the Facebook vulnerability in May 2014 and Tamir and his team conducted further research to confirm it and evaluate the pervasiveness of the problem. The vulnerability along with Mi3 Security research findings was reported to Facebook within two weeks of its initial discovery.

To mitigate the risk of the Social Login Session Hijacking vulnerability at this time, Mi3 Security recommends iOS and Android device users discontinue use of the Facebook login by third party apps. Mi3 Security’s blog details the steps that can be taken to disallow apps from using their Facebook login. We recommend IT staff alert their company employees about this vulnerability and advise them to discontinue using the Facebook login for apps. This YouTube video depicts the exploitation on an iPhone.