Researcher: Face.com iOS flaw could have allowed Facebook, Twitter account hijacking
- 21 June, 2012 12:49
Facial recognition start-up Face.com patched a vulnerability in its KLINK iOS app that could have allowed attackers to hijack the Facebook and Twitter accounts of its users, according to Ashkan Soltani, the independent security researcher who claims to have found the flaw.
KLIK is a camera app designed to allow users to easily tag friends in new photos by scanning their Facebook photo albums. It uses facial recognition technology developed by Face.com.
In order to use the app, users need to grant it access to their Facebook accounts. However, the app can also be integrated with Twitter, where it can post messages on their behalf.
A simple vulnerability in the app allowed users to access each others' Facebook and Twitter accounts, Soltani said in a blog post on Monday, the same day Face.com announced that it had been acquired by Facebook.
The vulnerability was caused by Face.com storing Facebook and Twitter OAuth tokens -- unique authentication keys -- on its servers in an insecure way that made them accessible to anyone, Soltani said.
With access to users' OAuth tokens, an attacker could abuse the KLIK app's permissions on their accounts. This includes the ability to access their private photos and friend lists or to post status updates and tweets in their names.
Since the vulnerability affected facial recognition technology, the privacy implications were significant, Soltani said. An attacker could hijack a popular user's account -- like Lady Gaga's, had she used KLINK -- and build face prints for their millions of Facebook friends. Then they could match those in real time to people walking down the street.
"Since this was a vulnerability that could potentially reveal sensitive consumer information, I worked with Face.com, Facebook, and Twitter to make sure it was addressed before disclosing it," Soltani said.
Face.com did not immediately return a request for comment.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.
Why change management doesn’t work
Larry Page wants to see your medical records
Dual-Persona Smartphones Not a BYOD Panacea
After two-year hiatus, EFF accepts bitcoin donations again
CIOs struggle to deliver timely mobile business apps: survey
Securing the Promise of Virtualisation
For today’s enterprise, this whitepaper identifies three general areas of risk associated with risk; those that are traditionally areas of risk, the hazards that are exclusive to virtualisation and the more recent set of risks that are associated with newly formed hybrid environments. Read more to find out how to keep pace with evolving threats, quicker provisioning and dynamically mobile workloads.
Android Malware Exposed
Take an in-depth look at the evolution of android malware. The world of malware targeting the Android OS is similar yet very different from malware affecting Windows. Explore the rapidly evolving world of android malware and shed light on the various techniques used to exploit devices using this OS.
The Big Data Security Analytics Era is Here
Large organisations can no longer rely on preventive security systems, point security tools, manual processes, and hardened configurations to protect them from targeted attacks and advanced malware. Henceforth, security management must be based upon continuous monitoring and data analysis for up‐to-the‐minute situational awareness and rapid data-driven security decisions. This means that large organisations have entered the era of big data security analytics. Learn more.