Skip to main content

Facebook App Vulnerabilities Could Compromise Your Account

If you use the Facebook or Facebook Messenger apps on your Android device, be careful of downloading files through them. Two newly discovered vulnerabilities could give an attacker unrestricted access to your account.

Information about the vulnerability comes by way of Mohamed Ramadan, founder of Egyptian security firm Attack-Secure. Ramadan has already made something of a name for himself discovering Facebook flaws, and has previously earned $6,000 from finding other potential points of compromise for the popular social network.

The first vulnerability affects the Facebook and Facebook Messenger apps for Android. Each of these apps uses what's known as an "access token" to keep a user logged into his or her account. This is why you don't need to log in every time you open the Facebook apps.

MORE: 13 Security and Privacy Tips for the Truly Paranoid

The access token is usually kept in a secure location, but Ramadan discovered a way to let the file out into the open.

If a malicious hacker sends a file your way through Facebook — in the form of a movie to watch or a Word document to read, for example — downloading it will also leak your access token to your Android device's log.

Many Android apps can access logs remotely — after all, logs are fairly harmless. All they do is keep records of which programs you've used on your phone.

Of course, if your access token shows up as part of the log, just about anyone could access your Facebook account.

The Facebook Pages Manager app could also fall prey to malefactors, Ramadan discovered. This app is useful for people who manage multiple Facebook accounts on the same device (such as spouses who share a tablet).

Ramadan did not explain exactly how this vulnerability worked (most likely for fear that someone might try to replicate it), but he did point out that users did not need to download anything for Pages Manager to dump the access token into the system logs. A malicious hacker could steal your account info without you taking any action whatsoever.

The good news is that, because Ramadan told Facebook about them months ago, both of these vulnerabilities have been patched. If you use an Android device, make sure that your Facebook apps are all updated to the most recent version (just access the Google Play store; it will inform you if any of your apps are not up to date).

Even so, these will probably not be the last vulnerabilities that researchers ever unearth in Facebook apps. Continue to use common sense: Avoid downloads from strangers, and if a friend offers you a download, try to gauge whether it's something you actually asked for or a phishing attempt.

If all else fails, a quick reply asking "What is this file?" never hurt anyone.

Follow Marshall Honorof @marshallhonorofand on Google+. Follow us @tomsguide, on Facebook and on Google+.

  • husker
    Wow. Shocking (not). The title of this article should be the tag line for the company. Maybe they could work it into their logo or official company letterhead.
  • Brian Cooper
    I will definitely be more careful, although I'm usually good about not opening random files on my phone.
  • dextermat
    Just another "java"