Welcome!

Open Source Cloud Authors: Yeshim Deniz, Pat Romanski, Liz McMillan, Elizabeth White, Zakia Bouachraoui

News Feed Item

MetaIntell Uncovers Significant Vulnerability With Popular Facebook SDK Affecting Numerous iOS and Android Apps and Potentially Billions of Installations

MetaIntell, the leader in intelligent led Mobile Risk Management (MRM), announced today that it has uncovered a significant security vulnerability in the Facebook SDK (V3.15.0) for both iOS and Android. Dubbed Social Login Session Hijacking, when exploited this vulnerability allows an attacker access to a user’s Facebook account using a session hijacking method that leverages the Facebook Access Token (FAT).

The vulnerability was discovered by MetaIntell using its cloud-based AppInterrogator™ MRM platform and verified by the company’s security research team. AppInterrogator rapidly deconstructs mobile apps to intelligently identify risks and threats using dynamic data generated from Open Source Intelligence (OSINT), vulnerability, static and dynamic assessments. It is the only solution that identifies risks before and after app download and assigns a risk rating to offer users progressive protection. Through progressive, ongoing risk assessments, apps are evaluated for changes in risk posture.

The Facebook SDK is one of the most popular integrated libraries used by free and fee-based app developers for iOS and Android platforms. Specifically, MetaIntell has identified that 71 of the top 100 free iOS apps use the Facebook SDK and are vulnerable, impacting the over 1.2 billion downloads of these apps. Of the top 100 Android apps, 31 utilize the Facebook SDK and therefore make vulnerable the over 100 billion downloads of those apps.

Vulnerable iOS and Android apps build on the Facebook SDK and leverage Facebook for user authentication. Once the app has successfully authenticated to Facebook, a local session token is cached and used to authenticate future sessions. The insecure storage of this session token is what places apps using the Facebook SDK for user authentication at risk of session hijacking.

Chilik Tamir, chief architect, research and development for MetaIntell, identified and duly named this flaw in both the Facebook SDK for iOS and Facebook SDK for Android. “It’s difficult to quantify the pervasiveness of this problem as not all iOS and Android apps utilize the Facebook SDK,” stated Tamir. “However, from our analysis, the SDK is widely used and given the type vulnerability, represents a substantial threat as it opens the door to imparting substantial damage to the reputations and brands of both individuals and organizations.”

MetaIntell discovered the vulnerability in May 2014 and Tamir and his team conducted further research to confirm it and evaluate the pervasiveness of the problem. The vulnerability along with MetaIntell’s research findings was reported to Facebook within two weeks of its initial discovery.

To mitigate the risk of the Social Login Session Hijacking vulnerability at this time, MetaIntell recommends iOS and Android device users discontinue use of the Facebook login by third party apps. MetaIntell’s blog details the steps that can be taken to disallow apps from using their Facebook login. We recommend IT staff alert their company employees about this vulnerability and advise them to discontinue using the Facebook login for apps. This YouTube video depicts the exploitation on an iPhone http://youtu.be/1fylUF_YUqk

“Our risk assessment engine was built from the ground up to utilize multivariate analysis to identify mobile app risks,” said Kevin Mullenex, CEO for MetaIntell. “Given our unique approach we often identify risks that are undetected by others….until after a security breach has occurred. We believe in being proactive and identifying the plethora of new risks before users download them and using progressive assessment to ensure apps remain safe.”

About MetaIntell

MetaIntell is the market and technology leader in intelligence led Mobile Risk Management (MRM). The company offers a cloud-based service that performs a detailed analysis on 3 key vectors: context, intent and predictive behavior. The cross referential analysis includes Deep Code Analysis, Behavioral Monitoring, Vulnerability Assessment, Broad Threat Engines, OSINT, Reputation History & Site Intelligence, and App Distribution Footprint. Data is correlated with gathered intelligence to declare an app is In or Out™ before it poses a threat to an enterprise application repository.

For more information about MetaIntell and its solutions, please visit our website at www.MetaIntell.com.

More Stories By Business Wire

Copyright © 2009 Business Wire. All rights reserved. Republication or redistribution of Business Wire content is expressly prohibited without the prior written consent of Business Wire. Business Wire shall not be liable for any errors or delays in the content, or for any actions taken in reliance thereon.

IoT & Smart Cities Stories
Disruption, Innovation, Artificial Intelligence and Machine Learning, Leadership and Management hear these words all day every day... lofty goals but how do we make it real? Add to that, that simply put, people don't like change. But what if we could implement and utilize these enterprise tools in a fast and "Non-Disruptive" way, enabling us to glean insights about our business, identify and reduce exposure, risk and liability, and secure business continuity?
DXWorldEXPO LLC announced today that Telecom Reseller has been named "Media Sponsor" of CloudEXPO | DXWorldEXPO 2018 New York, which will take place on November 11-13, 2018 in New York City, NY. Telecom Reseller reports on Unified Communications, UCaaS, BPaaS for enterprise and SMBs. They report extensively on both customer premises based solutions such as IP-PBX as well as cloud based and hosted platforms.
Digital Transformation: Preparing Cloud & IoT Security for the Age of Artificial Intelligence. As automation and artificial intelligence (AI) power solution development and delivery, many businesses need to build backend cloud capabilities. Well-poised organizations, marketing smart devices with AI and BlockChain capabilities prepare to refine compliance and regulatory capabilities in 2018. Volumes of health, financial, technical and privacy data, along with tightening compliance requirements by...
We are seeing a major migration of enterprises applications to the cloud. As cloud and business use of real time applications accelerate, legacy networks are no longer able to architecturally support cloud adoption and deliver the performance and security required by highly distributed enterprises. These outdated solutions have become more costly and complicated to implement, install, manage, and maintain.SD-WAN offers unlimited capabilities for accessing the benefits of the cloud and Internet. ...
Discussions of cloud computing have evolved in recent years from a focus on specific types of cloud, to a world of hybrid cloud, and to a world dominated by the APIs that make today's multi-cloud environments and hybrid clouds possible. In this Power Panel at 17th Cloud Expo, moderated by Conference Chair Roger Strukhoff, panelists addressed the importance of customers being able to use the specific technologies they need, through environments and ecosystems that expose their APIs to make true ...
Business professionals no longer wonder if they'll migrate to the cloud; it's now a matter of when. The cloud environment has proved to be a major force in transitioning to an agile business model that enables quick decisions and fast implementation that solidify customer relationships. And when the cloud is combined with the power of cognitive computing, it drives innovation and transformation that achieves astounding competitive advantage.
DXWorldEXPO LLC announced today that "IoT Now" was named media sponsor of CloudEXPO | DXWorldEXPO 2018 New York, which will take place on November 11-13, 2018 in New York City, NY. IoT Now explores the evolving opportunities and challenges facing CSPs, and it passes on some lessons learned from those who have taken the first steps in next-gen IoT services.
"Space Monkey by Vivent Smart Home is a product that is a distributed cloud-based edge storage network. Vivent Smart Home, our parent company, is a smart home provider that places a lot of hard drives across homes in North America," explained JT Olds, Director of Engineering, and Brandon Crowfeather, Product Manager, at Vivint Smart Home, in this SYS-CON.tv interview at @ThingsExpo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
In an era of historic innovation fueled by unprecedented access to data and technology, the low cost and risk of entering new markets has leveled the playing field for business. Today, any ambitious innovator can easily introduce a new application or product that can reinvent business models and transform the client experience. In their Day 2 Keynote at 19th Cloud Expo, Mercer Rowe, IBM Vice President of Strategic Alliances, and Raejeanne Skillern, Intel Vice President of Data Center Group and G...
The current age of digital transformation means that IT organizations must adapt their toolset to cover all digital experiences, beyond just the end users’. Today’s businesses can no longer focus solely on the digital interactions they manage with employees or customers; they must now contend with non-traditional factors. Whether it's the power of brand to make or break a company, the need to monitor across all locations 24/7, or the ability to proactively resolve issues, companies must adapt to...