Welcome!

News Feed Item

MetaIntell Uncovers Significant Vulnerability With Popular Facebook SDK Affecting Numerous iOS and Android Apps and Potentially Billions of Installations

MetaIntell, the leader in intelligent led Mobile Risk Management (MRM), announced today that it has uncovered a significant security vulnerability in the Facebook SDK (V3.15.0) for both iOS and Android. Dubbed Social Login Session Hijacking, when exploited this vulnerability allows an attacker access to a user’s Facebook account using a session hijacking method that leverages the Facebook Access Token (FAT).

The vulnerability was discovered by MetaIntell using its cloud-based AppInterrogator™ MRM platform and verified by the company’s security research team. AppInterrogator rapidly deconstructs mobile apps to intelligently identify risks and threats using dynamic data generated from Open Source Intelligence (OSINT), vulnerability, static and dynamic assessments. It is the only solution that identifies risks before and after app download and assigns a risk rating to offer users progressive protection. Through progressive, ongoing risk assessments, apps are evaluated for changes in risk posture.

The Facebook SDK is one of the most popular integrated libraries used by free and fee-based app developers for iOS and Android platforms. Specifically, MetaIntell has identified that 71 of the top 100 free iOS apps use the Facebook SDK and are vulnerable, impacting the over 1.2 billion downloads of these apps. Of the top 100 Android apps, 31 utilize the Facebook SDK and therefore make vulnerable the over 100 billion downloads of those apps.

Vulnerable iOS and Android apps build on the Facebook SDK and leverage Facebook for user authentication. Once the app has successfully authenticated to Facebook, a local session token is cached and used to authenticate future sessions. The insecure storage of this session token is what places apps using the Facebook SDK for user authentication at risk of session hijacking.

Chilik Tamir, chief architect, research and development for MetaIntell, identified and duly named this flaw in both the Facebook SDK for iOS and Facebook SDK for Android. “It’s difficult to quantify the pervasiveness of this problem as not all iOS and Android apps utilize the Facebook SDK,” stated Tamir. “However, from our analysis, the SDK is widely used and given the type vulnerability, represents a substantial threat as it opens the door to imparting substantial damage to the reputations and brands of both individuals and organizations.”

MetaIntell discovered the vulnerability in May 2014 and Tamir and his team conducted further research to confirm it and evaluate the pervasiveness of the problem. The vulnerability along with MetaIntell’s research findings was reported to Facebook within two weeks of its initial discovery.

To mitigate the risk of the Social Login Session Hijacking vulnerability at this time, MetaIntell recommends iOS and Android device users discontinue use of the Facebook login by third party apps. MetaIntell’s blog details the steps that can be taken to disallow apps from using their Facebook login. We recommend IT staff alert their company employees about this vulnerability and advise them to discontinue using the Facebook login for apps. This YouTube video depicts the exploitation on an iPhone http://youtu.be/1fylUF_YUqk

“Our risk assessment engine was built from the ground up to utilize multivariate analysis to identify mobile app risks,” said Kevin Mullenex, CEO for MetaIntell. “Given our unique approach we often identify risks that are undetected by others….until after a security breach has occurred. We believe in being proactive and identifying the plethora of new risks before users download them and using progressive assessment to ensure apps remain safe.”

About MetaIntell

MetaIntell is the market and technology leader in intelligence led Mobile Risk Management (MRM). The company offers a cloud-based service that performs a detailed analysis on 3 key vectors: context, intent and predictive behavior. The cross referential analysis includes Deep Code Analysis, Behavioral Monitoring, Vulnerability Assessment, Broad Threat Engines, OSINT, Reputation History & Site Intelligence, and App Distribution Footprint. Data is correlated with gathered intelligence to declare an app is In or Out™ before it poses a threat to an enterprise application repository.

For more information about MetaIntell and its solutions, please visit our website at www.MetaIntell.com.

More Stories By Business Wire

Copyright © 2009 Business Wire. All rights reserved. Republication or redistribution of Business Wire content is expressly prohibited without the prior written consent of Business Wire. Business Wire shall not be liable for any errors or delays in the content, or for any actions taken in reliance thereon.

Latest Stories
In his keynote at @ThingsExpo, Chris Matthieu, Director of IoT Engineering at Citrix and co-founder and CTO of Octoblu, focused on building an IoT platform and company. He provided a behind-the-scenes look at Octoblu’s platform, business, and pivots along the way (including the Citrix acquisition of Octoblu).
SYS-CON Events announced today that A&I Solutions has been named “Bronze Sponsor” of SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Founded in 1999, A&I Solutions is a leading information technology (IT) software and services provider focusing on best-in-class enterprise solutions. By partnering with industry leaders in technology, A&I assures customers high performance levels across all IT environments including: mai...
SYS-CON Events announced today that delaPlex will exhibit at SYS-CON's @ThingsExpo, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. delaPlex pioneered Software Development as a Service (SDaaS), which provides scalable resources to build, test, and deploy software. It’s a fast and more reliable way to develop a new product or expand your in-house team.
Five years ago development was seen as a dead-end career, now it’s anything but – with an explosion in mobile and IoT initiatives increasing the demand for skilled engineers. But apart from having a ready supply of great coders, what constitutes true ‘DevOps Royalty’? It’ll be the ability to craft resilient architectures, supportability, security everywhere across the software lifecycle. In his keynote at @DevOpsSummit at 20th Cloud Expo, Jeffrey Scheaffer, GM and SVP, Continuous Delivery Busine...
SYS-CON Events announced today that Progress, a global leader in application development, has been named “Bronze Sponsor” of SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Enterprises today are rapidly adopting the cloud, while continuing to retain business-critical/sensitive data inside the firewall. This is creating two separate data silos – one inside the firewall and the other outside the firewall. Cloud ISVs ofte...
DevOps at Cloud Expo – being held October 31 - November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA – announces that its Call for Papers is open. Born out of proven success in agile development, cloud computing, and process automation, DevOps is a macro trend you cannot afford to miss. From showcase success stories from early adopters and web-scale businesses, DevOps is expanding to organizations of all sizes, including the world's largest enterprises – and delivering real r...
SYS-CON Events announced today that Systena America will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Systena Group has been in business for various software development and verification in Japan, US, ASEAN, and China by utilizing the knowledge we gained from all types of device development for various industries including smartphones (Android/iOS), wireless communication, security technology and IoT serv...
With major technology companies and startups seriously embracing Cloud strategies, now is the perfect time to attend @CloudExpo | @ThingsExpo, June 6-8, 2017, at the Javits Center in New York City, NY and October 31 - November 2, 2017, Santa Clara Convention Center, CA. Learn what is going on, contribute to the discussions, and ensure that your enterprise is on the right path to Digital Transformation.
SYS-CON Events announced today that Super Micro Computer, Inc., a global leader in compute, storage and networking technologies, will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Supermicro (NASDAQ: SMCI), the leading innovator in high-performance, high-efficiency server technology, is a premier provider of advanced server Building Block Solutions® for Data Center, Cloud Computing, Enterprise IT, Hadoop/...
SYS-CON Events announced today that CollabNet, a global leader in enterprise software development, release automation and DevOps solutions, will be a Bronze Sponsor of SYS-CON's 20th International Cloud Expo®, taking place from June 6-8, 2017, at the Javits Center in New York City, NY. CollabNet offers a broad range of solutions with the mission of helping modern organizations deliver quality software at speed. The company’s latest innovation, the DevOps Lifecycle Manager (DLM), supports Value S...
Cloud promises the agility required by today’s digital businesses. As organizations adopt cloud based infrastructures and services, their IT resources become increasingly dynamic and hybrid in nature. Managing these require modern IT operations and tools. In his session at 20th Cloud Expo, Raj Sundaram, Senior Principal Product Manager at CA Technologies, will discuss how to modernize your IT operations in order to proactively manage your hybrid cloud and IT environments. He will be sharing bes...
SYS-CON Events announced today that Twistlock, the leading provider of cloud container security solutions, will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Twistlock is the industry's first enterprise security suite for container security. Twistlock's technology addresses risks on the host and within the application of the container, enabling enterprises to consistently enforce security policies, monitor...
A strange thing is happening along the way to the Internet of Things, namely far too many devices to work with and manage. It has become clear that we'll need much higher efficiency user experiences that can allow us to more easily and scalably work with the thousands of devices that will soon be in each of our lives. Enter the conversational interface revolution, combining bots we can literally talk with, gesture to, and even direct with our thoughts, with embedded artificial intelligence, whic...
SYS-CON Events announced today that Peak 10, Inc., a national IT infrastructure and cloud services provider, will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Peak 10 provides reliable, tailored data center and network services, cloud and managed services. Its solutions are designed to scale and adapt to customers’ changing business needs, enabling them to lower costs, improve performance and focus intern...
While some vendors scramble to create and sell you a fancy solution for monitoring your spanking new Amazon Lambdas, hear how you can do it on the cheap using just built-in Java APIs yourself. By exploiting a little-known fact that Lambdas aren’t exactly single threaded, you can effectively identify hot spots in your serverless code. In his session at 20th Cloud Expo, David Martin, Principal Product Owner at CA Technologies, will give a live demonstration and code walkthrough, showing how to ov...