KLIK is a camera app that uses face recognition to tag friends in Facebook photos in real time. It also apparently granted access to KLIK users’ private authentication tokens for Facebook and Twitter accounts, allowing them to be taken over by another user.
Independent researcher and consultant Ashkan Soltani disclosed how KLIK was exploited in a blog post Monday, using someone’s account as an example.
“Face.com was storing Facebook/Twitter OAUTH tokens on their servers insecurely, allowing them to be queried for *any user* without restriction. Specifically, once a user signed up for KLIK, the app would store their Facebook tokens on Face.com’s server for ‘safe keeping.’ Subsequent calls to https://mobile.face.com/mobileapp/getMe.json returns the Facebook “service_tokens” for any user, allowing the attacker to access photos and post as that user. If the KLIK user has linked their Twitter account to KLIK App (say, to ‘tweet’ their photos à la Instagram), their ‘service_secret’ and ‘service_token’ was also returned.”
Soltani said he discovered the “extremely basic vulnerability” a few weeks ago but did not go public with his finding until the Israeli-based Face.com had patched it. The disclosure came on the same day the company announced it was being acquired by Facebook for $100 million.
“Given the nature of the technology (facial recognition), the privacy concerns are significant,” he wrote. “The above attack not only allows access to non-public photos, but also lets the attacker potentially manipulate the Face.com app to automatically ‘recognize’ anyone walking down the street (i.e., just hijack Lady Gaga’s and get her ~11 million friends’ ‘face prints’).”
“In addition to accessing a potentially private data (i.e., if they had their photos, friends lists, or tweets set to ‘private’), the vuln allowed the attacker to hijack the account and post status updates / Tweets as that user. Since KLIK relies on Facebook connect, that means anyone that has used the app was vulnerable.”