Face.com, the Israel-based facial recognition maker, and the recent acquisition of Facebook, has suffered a big security flaw in its functionality, resulting in hijacking of the Facebook and Twitter accounts of users. The popular Face.com mobile app KLIK that lets users tag faces in photos using Facebook allowed almost anyone to hack the Facebook and Twitter accounts of KLIK’s users. The security hole was discovered by Ashkan Soltani, an independent researcher specializing in consumer privacy and internet security.

Here’ s what Soltani informed (Technically) about this security flaw:

“Face.com was storing Facebook/Twitter OAUTH tokens on their servers insecurely, allowing them to be queried for *any user* without restriction. Specifically, once a user signed up for KLIK, the app would store their Facebook tokens on Face.com’s server for ‘safe keeping’. Subsequent calls to https://mobile.face.com/mobileapp/getMe.json returns the Facebook “service_tokens” for any user, allowing the attacker to access photos and post as that user. If the KLIK user has linked their Twitter account to KLIK App (say, to ‘tweet’ their photos à la Instagram), their ‘service_secret’ and ‘service_token’ was also returned.”

To be precise, this vulnerability allowed access and rights to manipulate potentially private data of users, and post status updates / Tweets as that user. The entire thing happened because Face.com was storing Facebook and Twitter OAUTH authorization tokens on servers insecurely. Though Soltani discovered the flaw much earlier before it was publicized, he preferred disclosing it only after the issue was resolved. May be he did not want to create a panic among users!

Face.com was earlier a partner of Facebook, and was recently acquired by the latter one. Facebook already makes use of Face.com’s technology for real-time tagging and identifying other people in photos, which is one of the core elements of Facebook’s ongoing success.

Face.com has now confirmed the security fix, but users should still be alert. In fact, it is the best time to get rid of all the applications, which have become redundant and are of no use for you. Make sure to review all the applications that were given permission to access your account details. Internet security has become an important concern nowadays, so it’s really important to keep a check on what you are doing online and if anything is dubious.