Face.com, the company recently acquired by Facebook for its face recognition technologies, patched a critical security hole that affected its mobile app called “KLIK”.
The application, which allowed customers to tag their friends’ faces in real time, presented a vulnerability that could be utilized by an attacker to hijack the user’s Twitter and Facebook account.
“I found an extremely basic vulnerability in the which the app allows access to other user’s KLIK information, including private ‘authentication tokens’ (i.e keys) for user’s Facebook & Twitter accounts,” security researcher Ashkan Soltani explained.
The expert stressed that if exploited, the vulnerability could be used to access private photographs and even permit the attacker to manipulate the app to “recognize” anyone on the street.
In the case of Twitter, the security hole could have been leveraged to hijack the account and post tweets and status updates on the victim’s behalf.
Apparently, the issue existed because Face.com stored social media OAUTH tokens on its servers without properly securing them, thus allowing anyone to query them.
“Specifically, once a user signed up for KLIK, the app would store their Facebook tokens on Face.com’s server for ‘safe keeping’. Subsequent calls to https://mobile.face.com /mobileapp/getMe.json returns the Facebook 'service_tokens' for any user, allowing the attacker to access photos and post as that user,” Soltani added.
In case the victim linked KLIK to his/her Twitter account, their “service_token” and “service_secret” could have been obtained.
The researcher has also made references to the recent TweetGif breach. Apparently, TweetGif also cached user tokens in a similar way.
Fortunately, before he made his findings public, and before anyone could abuse the vulnerability, Soltani collaborated with Face.com, Twitter and Facebook on addressing the issue.
Via: Face.com Patches Flaw in KLIK to Prevent Twitter and Facebook Account Hijacking
Tidak ada komentar:
Posting Komentar