Security researcher Mahomed Ramadan of Attack Secure has found two serious bugs in Facebook’s Android apps that could allow hackers to hijack user accounts. Ramadan found the first vulnerability in both the Facebook Main app and the Facebook Messenger app.
The bug could potentially work by sending a victim an attachment, like a PDF, video file, Word document, or image, and once the user downloaded it to their device browser, the attachment could send that user’s Facebook access_token to a tool that collects log messages from Android apps. This information could then be used to hijack a user’s account. The second vulnerability Ramadan identified worked much like the first one, but with Facebook’s pages manager for Android.
“Every time you use your Facebook main and messenger app to download files from messages, your access_token will be leaked and ANY app, even non malicious app, can capture these tokens and take over your Facebook account,” Ramadan wrote on Attack Secure.
For his efforts, Facebook paid Ramadan $6,000 total through their bug bounty program. To help users avoid these potential bugs, Ramadan advises Facebook on Android users to change their log-in passwords and update their apps. Ramadan first reported the bugs in June, so the issues have been resolved by now. It’s suggested that users update their Facebook Android Apps and Facebook Pages Manager for Android NOW!
He also gives this “Pro Tip: You must change your facebook password now if you are using facebook android apps.”, though it’s still a good idea to periodically change your passwords and keep your apps updated.”