14 DAY TRIAL // A number of three vulnerabilities have been eliminated from the Facebook app for Android devices; these would allow a potential attacker to conduct denial-of service (DoS) type of attacks on the device, capture and retrieve video and audio content.
In all three cases, insecure transmission of data was at fault, a problem Facebook is trying to solve for the Instagram app for both Android and iOS, where the risk is much higher as there is the possibility of account hijacking by stealing the session cookies.
One of the flaws repaired consisted in the fact that the app embedded a generic HTTP server component used as a caching proxy for playing video.
According to the disclosure report made by Dr. Manuel Sadosky, “this server is misconfigured and accepts requests from any client, local or remote, allowing attackers to connect to it and use a victim's device as an open proxy. As a result, among other things, an attacker could carry out various forms of denial of service attacks such as filling up the device's storage or running up the subscriber's data transfer limit over 3G or LTE networks.”
Another glitch offered an attacker who used the same network as the affected device the possibility to capture or retrieve video content.
Sadosky explains that this could be done because of the privacy policy in Facebook, which does not allow access to video marked as private by the user if the client is a web browser, but the policy was not respected when the client was the Facebook app.
Audio interception could be carried out by someone on the same network as the Android client, since data transmission would be done through an insecure channel. Both Facebook and Facebook Messenger apps were affected by this flaw.
According to the timeline of the disclosure, all three bugs have been removed from the affected products, and at the moment, the update is available to all users of the Android versions of Facebook and its messenger.
The first report of the researcher regarding the vulnerabilities was sent to Facebook on May 13, 2014. By June 12, Facebook had rolled out patches for two of the glitches.
For the issue leading to a potential denial-of-service condition, the developer asked for a proof-of-concept code to demonstrate it.
After implementing the fix in the stable revision of the application, Facebook requested the researcher to postpone the disclosure until a large number of users would have the possibility to make the update. This happened on July 27.
According to the financial report for the second quarter of 2014, Facebook boasted 1.07 billion active users as of June 30, with an average of 654 million using the service from mobile devices on a daily basis.