A researcher has discovered serious vulnerabilities in the main Facebook and Facebook Messenger apps for Android that enable any other app on a device to access the user’s Facebook access token and take over her account. The same researcher also discovered a separate, similar flaw in the Facebook Pages Manager for Android, an app that allows admins to manage multiple Facebook accounts. That bug also enables other apps to grab a user’s access token.
The vulnerabilities were discovered earlier this year by Mohamed Ramadan, a researcher at Attack Secure, who reported them to Facebook and was rewarded with $6,000 in bug bounties. The first vulnerability lies in the way that the main Facebook app and the Facebook Messenger app for Android devices handles a user’s access token, which is essentially the key to accessing a Facebook account. This flaw would allow a malicious app to get the access_token stored on a user’s device and then hijack the user’s account, Ramadan said.
“Imagine this scenario: you are a facebook user, you have android phone/tablet and you installed facebook main app and messenger app for android, now you got a message from a friend or from someone on facebook, you will open the message to read it and there is an attachment like: a movie, doc, pdf, pic or any files that can be attached in facebook messages,” Ramadan said in a blog post explaining the exploit scenario.
“You clicked on file to download it and in the same time your facebook access_token is leaked to android logcat which means that ANY android app can read and capture your facebook access_token stealthy and hijack your account.”
“If you don’t know what is logcat, it is a tool built into all android devices to collect the log messages from all android apps.”
Ramadan said that the Facebook access_tokens don’t expire, meaning that the danger remains indefinitely if the user hasn’t updated his Facebook apps to patch the vulnerability.
The second vulnerability is in the Facebook Pages Manager app for Android, which is designed to help users manage a number of different accounts. The app, which has been installed more than 10 million times, has a similar flaw to the main Facebook app that allows a malicious app to get a user’s access_token, but in this case the user doesn’t need to download or run any code from anywhere else.
That vulnerability has been patched as well, and Ramadan said users should update their apps immediately in order to protect against attacks. Ramadan earlier this year discovered a vulnerability in the Facebook app and Facebook Messenger app that allowed an attacker to access and download a user’s photos.
Image from Flickr photos of Mkhmarketing.