NEWS
NEWS
NEWS
Security Loopholes in Face.com App Allows Hijack of Facebook, Twitter Accounts
Face.com, the Israel-based facial recognition maker, and the recent acquisition of Facebook, has suffered a big security flaw in its functionality, resulting in hijacking of the Facebook and Twitter accounts of users. The popular Face.com mobile app KLIK that lets users tag faces in photos using Facebook allowed almost anyone to hack the Facebook and Twitter accounts of KLIK’s users. The security hole was discovered by Ashkan Soltani, an independent researcher specializing in consumer privacy and internet security.
Here’ s what Soltani informed (Technically) about this security flaw:
“Face.com was storing Facebook/Twitter OAUTH tokens on their servers insecurely, allowing them to be queried for *any user* without restriction. Specifically, once a user signed up for KLIK, the app would store their Facebook tokens on Face.com’s server for ‘safe keeping’. Subsequent calls to https://mobile.face.com/mobileapp/getMe.json returns the Facebook “service_tokens” for any user, allowing the attacker to access photos and post as that user. If the KLIK user has linked their Twitter account to KLIK App (say, to ‘tweet’ their photos à la Instagram), their ‘service_secret’ and ‘service_token’ was also returned.”
To be precise, this vulnerability allowed access and rights to manipulate potentially private data of users, and post status updates / Tweets as that user. The entire thing happened because Face.com was storing Facebook and Twitter OAUTH authorization tokens on servers insecurely. Though Soltani discovered the flaw much earlier before it was publicized, he preferred disclosing it only after the issue was resolved. May be he did not want to create a panic among users!
Face.com was earlier a partner of Facebook, and was recently acquired by the latter one. Facebook already makes use of Face.com’s technology for real-time tagging and identifying other people in photos, which is one of the core elements of Facebook’s ongoing success.
Face.com has now confirmed the security fix, but users should still be alert. In fact, it is the best time to get rid of all the applications, which have become redundant and are of no use for you. Make sure to review all the applications that were given permission to access your account details. Internet security has become an important concern nowadays, so it’s really important to keep a check on what you are doing online and if anything is dubious.
A message from John Furrier, co-founder of SiliconANGLE:
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
