Bay Area: Join us 1/9 to talk about personal data security in 2019

Askhan Soltani has worked with the FTC and as an independent researcher, exploring data privacy issues. Recently, he testified about Facebook's privacy policies before the US and UK governments.

Enlarge / Askhan Soltani has worked with the FTC and as an independent researcher, exploring data privacy issues. Recently, he testified about Facebook's privacy policies before the US and UK governments. (credit: Ashkan Soltani)

The Cambridge Analytica scandal. Data breaches at hotels, banks, rideshare companies, and hospitals. Facial recognition. DNA databases. We're living through the data privacy apocalypse and now it's time to figure out what happens next. Here to discuss that with us at the next Ars Technica Live is Ashkan Soltani, an independent researcher and technologist who specializes in data privacy.

Recently, Soltani testified before the US and UK governments about Facebook's privacy practices and how they make user data available to third parties. Soltani also authored the California Consumer Privacy Act of 2018, which regulates large companies that make more than 50 percent of their revenues from selling California residents' personal information. The CCPA was signed into law earlier this year.

Soltani will be in conversation with Ars Technica editors Cyrus Farivar and Annalee Newitz.

Read 4 remaining paragraphs | Comments

Face.com App Allowed Facebook, Twitter Account Hijacking

Ashkan Soltani

Israel-based facial recognition maker Face.com was the internet’s flavor for a day Monday when it announced it was acquired by Facebook. Rumors put the price in the $50 to $100 million range.

But what was not widely known was that Face.com’s mobile app, KLIK, which allows real-time face-tagging of Facebook pictures, recently suffered a giant vulnerability. A prominent researcher found that the app allowed anyone to hijack any KLIK user’s Facebook and Twitter accounts.

Independent researcher Ashkan Soltani said the app granted access to KLIK users’ private authentication tokens for users’ Facebook and Twitter accounts.

Soltani disclosed the revelation on his blog Monday and said he had shared the vulnerability with the companies before announcing it. It was patched before he publicized it on his site, he said.

Here’s what he found:

TECHNICAL DETAILS: Face.com was storing Facebook/Twitter OAUTH tokens on their servers insecurely, allowing them to be queried for *any user* without restriction. Specifically, once a user signed up for KLIK, the app would store their Facebook tokens on Face.com’s server for ‘safe keeping’. Subsequent calls to https://mobile.face.com/mobileapp/getMe.json returns the Facebook “service_tokens” for any user, allowing the attacker to access photos and post as that user. If the KLIK user has linked their Twitter account to KLIK App (say, to ‘tweet’ their photos à la Instagram), their ‘service_secret’ and ‘service_token’ was also returned.

Luckily for Face.com, the vulnerability was publicized after it was fixed. But users should be aware. Anytime you grant access to your Facebook, Google or Twitter accounts to an outside app, there’s always a hazard that your accounts could be at risk. Today might be a good day to go review which apps you have given permissions to, and which you no longer use.

Soltani said in an email that he was doing some coding and noticed the vulnerability “out of the corner of my eye.”

“Happens all the time,” he added. “I think developers have gotten used to a ‘security thru obscurity’ model on mobile devices that doesn’t exist on the web anymore. The thinking is ‘no one will see this.’”

Photo: LunaWeb/Flickr