Multi-Platform Draw Nothing: Popular app opens up your Facebook to data theft - Techist - Tech Forum

Go Back   Techist - Tech Forum > Techist Forum Information > News > Software
Click Here to Login
Closed Thread
Thread Tools Display Modes
Old 04-06-2012, 09:24 PM   #1 (permalink)
Destroyer of headlines
Megatron's Avatar
Join Date: Dec 2010
Location: Headlines
Posts: 629
Default Draw Nothing: Popular app opens up your Facebook to data theft

50 million people downloaded OMGPOP's Draw Something over the past two months, and it's at the top of the App Store charts. But for those of us who connected our Facebook accounts to the app, there's an even bigger problem: it stores a Facebook access token in plain text.

Want that in plain English? A hacker gets this little file, and he's got access to your private data.

The issue was discovered by Web developer Gareth Wright while investigating how mobile application developers handle security. He found that due to Draw Something requesting offline access to your account, he was able to perform a few FQL (Facebook's version of SQL, a database query language) queries and pulled private information from his Facebook account.

The access tokens are good for 60 days, but still cause for concern. "Aside from that a simple .net tool could easily snaffle this info and grab a fair whack of confirmed email addresses and marketing info", Wright mused in a blog post.

Users of both stock and jailbroken iPhones are at risk for this security issue. Those who have jailbroken are more at risk due to the security measures of the device being compromised, and the fact that jailbroken apps do not have as much oversight for malicious code as apps downloaded through the App Store do. Code could be written to find this access token and send it to a hacker, who then would be able to do the same things Wright did.

Draw Something is not the worst offender by far: that honor actually goes to Facebook itself. Wright found stored in the data files of the social networking company's app not only the same access token, but an authorization key which is the key to log into your account. This file is also in plain text, and can be used on another device to login to your account and post as you.

Unlike the desktop version, Facebook does not throw roadblocks when your account is accessed from a location it deems suspicious. Thus, with an iOS device (or even an emulator), your account is an open book.

Facebook confirms it is aware of the issue, but only says "we are working to fix it". No further information is given as to when the hole might be closed. Wright has several proof-of-concept exploits already produced, and has been able to collect over 1,000 vulnerable access tokens and authorization keys.

"Unless app developers follow suit and start encrypting the 60 day access token Facebook supplies, it’s only a matter of time before someone starts using the info for ill purpose…if they aren’t already", he writes.

Megatron is offline  
Closed Thread

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
FB-Secure, Configure Facebook Application Rights During App Installation Osiris Tips, Tricks & Tutorials 0 10-14-2010 10:47 AM
Facebook app flaws create Trojan download risk Osiris Viruses, Spyware and Malware 0 09-21-2009 07:18 AM
Blackberry Updates Facebook App Osiris Phones, Tablets, and other Handheld Devices 0 06-08-2009 10:25 AM
Rogue Facebook app creates malign buzz Osiris Viruses, Spyware and Malware 0 02-24-2009 07:19 AM
Facebook App Creates Botnet Osiris Viruses, Spyware and Malware 0 09-06-2008 04:50 PM

Copyright 2002- Social Knowledge, LLC All Rights Reserved.

All times are GMT -5. The time now is 11:52 PM.

Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2018, vBulletin Solutions, Inc.