Face.com App Allowed Facebook, Twitter Account Hijacking

Ashkan Soltani

Israel-based facial recognition maker Face.com was the internet’s flavor for a day Monday when it announced it was acquired by Facebook. Rumors put the price in the $50 to $100 million range.

But what was not widely known was that Face.com’s mobile app, KLIK, which allows real-time face-tagging of Facebook pictures, recently suffered a giant vulnerability. A prominent researcher found that the app allowed anyone to hijack any KLIK user’s Facebook and Twitter accounts.

Independent researcher Ashkan Soltani said the app granted access to KLIK users’ private authentication tokens for users’ Facebook and Twitter accounts.

Soltani disclosed the revelation on his blog Monday and said he had shared the vulnerability with the companies before announcing it. It was patched before he publicized it on his site, he said.

Here’s what he found:

TECHNICAL DETAILS: Face.com was storing Facebook/Twitter OAUTH tokens on their servers insecurely, allowing them to be queried for *any user* without restriction. Specifically, once a user signed up for KLIK, the app would store their Facebook tokens on Face.com’s server for ‘safe keeping’. Subsequent calls to https://mobile.face.com/mobileapp/getMe.json returns the Facebook “service_tokens” for any user, allowing the attacker to access photos and post as that user. If the KLIK user has linked their Twitter account to KLIK App (say, to ‘tweet’ their photos à la Instagram), their ‘service_secret’ and ‘service_token’ was also returned.

Luckily for Face.com, the vulnerability was publicized after it was fixed. But users should be aware. Anytime you grant access to your Facebook, Google or Twitter accounts to an outside app, there’s always a hazard that your accounts could be at risk. Today might be a good day to go review which apps you have given permissions to, and which you no longer use.

Soltani said in an email that he was doing some coding and noticed the vulnerability “out of the corner of my eye.”

“Happens all the time,” he added. “I think developers have gotten used to a ‘security thru obscurity’ model on mobile devices that doesn’t exist on the web anymore. The thinking is ‘no one will see this.’”

Photo: LunaWeb/Flickr