Mohamed Ramadan, a security researcher with Attack Secure, has identified a couple of vulnerabilities in Facebook applications for Android.One of the vulnerabilities affects the Android versions of the main Facebook app and Facebook Messenger. The security hole allows hackers to steal access tokens and hijack accounts.
According to Ramadan, the attacker simply needs to send the victim a message that contains an attachment – any type of attachment, including videos, documents, and pictures.
When the user downloads the attached file, the Facebook access token (access_token) is leaked to Android Logcat, the Android logging system that provides a mechanism for collecting a viewing system debug output.
This means that any Android application you have installed on your smartphone can obtain your access token, and implicitly allow access to your Facebook account.
“Every time you use your Facebook main and Messenger app to download files from messages, your access_token will be leaked and ANY app, even non malicious app, can capture these tokens and take over your Facebook account,” the researcher noted.
For this vulnerability, reported to Facebook a few months ago, the expert has been rewarded with $2,500 (€1,800).
The second flaw, which impacts the Facebook Pages Manager application for Android, is similar to the first.
“The vulnerability I found in Facebook Pages Manager app is the same like the other one but to exploit it you need to login to your Facebook account and your access token will be leaked to all apps without a need to download ANYTHING from ANYONE,” the expert explained.
To demonstrate the existence of the vulnerability and how it could have been exploited, Ramadan made a proof-of-concept video. For this security hole, the researcher has been rewarded with $3,500 (€2,500).
The expert advises users to update their applications to the latest versions in order to protect themselves against attacks leveraging these security holes.
Here is the POC video demonstrating the Facebook Pages Manager vulnerability. Additional technical details are available on Attack Secure.