Welcome!

News Feed Item

MetaIntell Uncovers Significant Vulnerability With Popular Facebook SDK Affecting Numerous iOS and Android Apps and Potentially Billions of Installations

MetaIntell, the leader in intelligent led Mobile Risk Management (MRM), announced today that it has uncovered a significant security vulnerability in the Facebook SDK (V3.15.0) for both iOS and Android. Dubbed Social Login Session Hijacking, when exploited this vulnerability allows an attacker access to a user’s Facebook account using a session hijacking method that leverages the Facebook Access Token (FAT).

The vulnerability was discovered by MetaIntell using its cloud-based AppInterrogator™ MRM platform and verified by the company’s security research team. AppInterrogator rapidly deconstructs mobile apps to intelligently identify risks and threats using dynamic data generated from Open Source Intelligence (OSINT), vulnerability, static and dynamic assessments. It is the only solution that identifies risks before and after app download and assigns a risk rating to offer users progressive protection. Through progressive, ongoing risk assessments, apps are evaluated for changes in risk posture.

The Facebook SDK is one of the most popular integrated libraries used by free and fee-based app developers for iOS and Android platforms. Specifically, MetaIntell has identified that 71 of the top 100 free iOS apps use the Facebook SDK and are vulnerable, impacting the over 1.2 billion downloads of these apps. Of the top 100 Android apps, 31 utilize the Facebook SDK and therefore make vulnerable the over 100 billion downloads of those apps.

Vulnerable iOS and Android apps build on the Facebook SDK and leverage Facebook for user authentication. Once the app has successfully authenticated to Facebook, a local session token is cached and used to authenticate future sessions. The insecure storage of this session token is what places apps using the Facebook SDK for user authentication at risk of session hijacking.

Chilik Tamir, chief architect, research and development for MetaIntell, identified and duly named this flaw in both the Facebook SDK for iOS and Facebook SDK for Android. “It’s difficult to quantify the pervasiveness of this problem as not all iOS and Android apps utilize the Facebook SDK,” stated Tamir. “However, from our analysis, the SDK is widely used and given the type vulnerability, represents a substantial threat as it opens the door to imparting substantial damage to the reputations and brands of both individuals and organizations.”

MetaIntell discovered the vulnerability in May 2014 and Tamir and his team conducted further research to confirm it and evaluate the pervasiveness of the problem. The vulnerability along with MetaIntell’s research findings was reported to Facebook within two weeks of its initial discovery.

To mitigate the risk of the Social Login Session Hijacking vulnerability at this time, MetaIntell recommends iOS and Android device users discontinue use of the Facebook login by third party apps. MetaIntell’s blog details the steps that can be taken to disallow apps from using their Facebook login. We recommend IT staff alert their company employees about this vulnerability and advise them to discontinue using the Facebook login for apps. This YouTube video depicts the exploitation on an iPhone http://youtu.be/1fylUF_YUqk

“Our risk assessment engine was built from the ground up to utilize multivariate analysis to identify mobile app risks,” said Kevin Mullenex, CEO for MetaIntell. “Given our unique approach we often identify risks that are undetected by others….until after a security breach has occurred. We believe in being proactive and identifying the plethora of new risks before users download them and using progressive assessment to ensure apps remain safe.”

About MetaIntell

MetaIntell is the market and technology leader in intelligence led Mobile Risk Management (MRM). The company offers a cloud-based service that performs a detailed analysis on 3 key vectors: context, intent and predictive behavior. The cross referential analysis includes Deep Code Analysis, Behavioral Monitoring, Vulnerability Assessment, Broad Threat Engines, OSINT, Reputation History & Site Intelligence, and App Distribution Footprint. Data is correlated with gathered intelligence to declare an app is In or Out™ before it poses a threat to an enterprise application repository.

For more information about MetaIntell and its solutions, please visit our website at www.MetaIntell.com.

More Stories By Business Wire

Copyright © 2009 Business Wire. All rights reserved. Republication or redistribution of Business Wire content is expressly prohibited without the prior written consent of Business Wire. Business Wire shall not be liable for any errors or delays in the content, or for any actions taken in reliance thereon.

Latest Stories
Containers, microservices and DevOps are all the rage lately. You can read about how great they are and how they’ll change your life and the industry everywhere. So naturally when we started a new company and were deciding how to architect our app, we went with microservices, containers and DevOps. About now you’re expecting a story of how everything went so smoothly, we’re now pushing out code ten times a day, but the reality is quite different.
The hierarchical architecture that distributes "compute" within the network specially at the edge can enable new services by harnessing emerging technologies. But Edge-Compute comes at increased cost that needs to be managed and potentially augmented by creative architecture solutions as there will always a catching-up with the capacity demands. Processing power in smartphones has enhanced YoY and there is increasingly spare compute capacity that can be potentially pooled. Uber has successfully ...
Using new techniques of information modeling, indexing, and processing, new cloud-based systems can support cloud-based workloads previously not possible for high-throughput insurance, banking, and case-based applications. In his session at 18th Cloud Expo, John Newton, CTO, Founder and Chairman of Alfresco, described how to scale cloud-based content management repositories to store, manage, and retrieve billions of documents and related information with fast and linear scalability. He addres...
You want to start your DevOps journey but where do you begin? Do you say DevOps loudly 5 times while looking in the mirror and it suddenly appears? Do you hire someone? Do you upskill your existing team? Here are some tips to help support your DevOps transformation. Conor Delanbanque has been involved with building & scaling teams in the DevOps space globally. He is the Head of DevOps Practice at MThree Consulting, a global technology consultancy. Conor founded the Future of DevOps Thought Leade...
When building large, cloud-based applications that operate at a high scale, it’s important to maintain a high availability and resilience to failures. In order to do that, you must be tolerant of failures, even in light of failures in other areas of your application. “Fly two mistakes high” is an old adage in the radio control airplane hobby. It means, fly high enough so that if you make a mistake, you can continue flying with room to still make mistakes. In his session at 18th Cloud Expo, Lee A...
While some developers care passionately about how data centers and clouds are architected, for most, it is only the end result that matters. To the majority of companies, technology exists to solve a business problem, and only delivers value when it is solving that problem. 2017 brings the mainstream adoption of containers for production workloads. In his session at 21st Cloud Expo, Ben McCormack, VP of Operations at Evernote, discussed how data centers of the future will be managed, how the p...
The deluge of IoT sensor data collected from connected devices and the powerful AI required to make that data actionable are giving rise to a hybrid ecosystem in which cloud, on-prem and edge processes become interweaved. Attendees will learn how emerging composable infrastructure solutions deliver the adaptive architecture needed to manage this new data reality. Machine learning algorithms can better anticipate data storms and automate resources to support surges, including fully scalable GPU-c...
Wooed by the promise of faster innovation, lower TCO, and greater agility, businesses of every shape and size have embraced the cloud at every layer of the IT stack – from apps to file sharing to infrastructure. The typical organization currently uses more than a dozen sanctioned cloud apps and will shift more than half of all workloads to the cloud by 2018. Such cloud investments have delivered measurable benefits. But they’ve also resulted in some unintended side-effects: complexity and risk. ...
Machine learning provides predictive models which a business can apply in countless ways to better understand its customers and operations. Since machine learning was first developed with flat, tabular data in mind, it is still not widely understood: when does it make sense to use graph databases and machine learning in combination? This talk tackles the question from two ends: classifying predictive analytics methods and assessing graph database attributes. It also examines the ongoing lifecycl...
With more than 30 Kubernetes solutions in the marketplace, it's tempting to think Kubernetes and the vendor ecosystem has solved the problem of operationalizing containers at scale or of automatically managing the elasticity of the underlying infrastructure that these solutions need to be truly scalable. Far from it. There are at least six major pain points that companies experience when they try to deploy and run Kubernetes in their complex environments. In this presentation, the speaker will d...
Dhiraj Sehgal works in Delphix's product and solution organization. His focus has been DevOps, DataOps, private cloud and datacenters customers, technologies and products. He has wealth of experience in cloud focused and virtualized technologies ranging from compute, networking to storage. He has spoken at Cloud Expo for last 3 years now in New York and Santa Clara.
When applications are hosted on servers, they produce immense quantities of logging data. Quality engineers should verify that apps are producing log data that is existent, correct, consumable, and complete. Otherwise, apps in production are not easily monitored, have issues that are difficult to detect, and cannot be corrected quickly. Tom Chavez presents the four steps that quality engineers should include in every test plan for apps that produce log output or other machine data. Learn the ste...
"Peak 10 is a hybrid infrastructure provider across the nation. We are in the thick of things when it comes to hybrid IT," explained , Chief Technology Officer at Peak 10, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
We are seeing a major migration of enterprises applications to the cloud. As cloud and business use of real time applications accelerate, legacy networks are no longer able to architecturally support cloud adoption and deliver the performance and security required by highly distributed enterprises. These outdated solutions have become more costly and complicated to implement, install, manage, and maintain.SD-WAN offers unlimited capabilities for accessing the benefits of the cloud and Internet. ...
Dion Hinchcliffe is an internationally recognized digital expert, bestselling book author, frequent keynote speaker, analyst, futurist, and transformation expert based in Washington, DC. He is currently Chief Strategy Officer at the industry-leading digital strategy and online community solutions firm, 7Summits.