30 Oct 2013

Two Bugs in Facebook Android Apps Allow Account Hijack

Two vulnerabilities in the mobile applications of Facebook and Facebook messenger allow hackers to grab Facebook access_tokens and hijack user accounts, according to Mahomed Ramadan, researcher with Attack Secure.

In the case of the first flaw, someone on Facebook can simply send the victim a message with an attachment, such as a video, a doc, a pdf or a picture. Once on the device, the attachment will leak the access_token to the Android logcat – a tool that collects log messages from all Android apps.

“Every time you use your Facebook main and Messenger app to download files from messages, your access_token will be leaked and ANY app, even non malicious app, can capture these tokens and take over your Facebook account,” the researcher explains in a blog post.

The second bug is linked to the Facebook Pages Manager for Android. “The vulnerability I found in Facebook Pages Manager app is the same like the other one but to exploit it you need to login to your Facebook account and your access token will be leaked to all apps without a need to download ANYTHING from ANYONE,” Ramadan says.

Ramadam advises all users of Facebook for Android to change their login passwords and make sure they keep all their apps updated to the latest version.