Researcher Finds Two Vulnerabilities in Facebook Android Apps

facebook-security-2Security researcher Mahomed Ramadan of Attack Secure has found two serious bugs in Facebook’s Android apps that could allow hackers to hijack user accounts. Ramadan found the first vulnerability in both the Facebook Main app and the Facebook Messenger app.

The bug could potentially work by sending a victim an attachment, like a PDF, video file, Word document, or image, and once the user downloaded it to their device browser, the attachment could send that user’s Facebook access_token to a tool that collects log messages from Android apps. This information could then be used to hijack a user’s account. The second vulnerability Ramadan identified worked much like the first one, but with Facebook’s pages manager for Android.

“Every time you use your Facebook main and messenger app to download files from messages, your access_token will be leaked and ANY app, even non malicious app, can capture these tokens and take over your Facebook account,” Ramadan wrote on Attack Secure.

For his efforts, Facebook paid Ramadan $6,000 total through their bug bounty program. To help users avoid these potential bugs, Ramadan advises Facebook on Android users to change their log-in passwords and update their apps. Ramadan first reported the bugs in June, so the issues have been resolved by now. It’s suggested that users update their Facebook Android Apps and Facebook Pages Manager for Android NOW!

He also gives this “Pro Tip:  You must change your facebook password now if you are using facebook android apps.”, though it’s still a good idea to periodically change your passwords and keep your apps updated.”



Recommended Resources

PRIVATE WiFi® is a Personal VPN that encrypts everything you send and receive. Don’t access Facebook from a public WiFi hotspot without it.

SocialSafe helps you to create your library of you. It’s the safest place for your online life. Downloaded to your computer, auto organised and instantly searchable. Supports most major social networks.

BitDefender Safego is a Facebook application you can install that will scan your News Feed and help keep you safe from scams on Facebook.

Facebook Accidentally Asks Some Users for Government ID Previous post Facebook Accidentally Asks Some Users for Government ID  Two Researchers Hack Government Agency with Fake Facebook Profile Next post Two Researchers Hack Government Agency with Fake Facebook Profile