Facebook SDK hole leaves accounts vulnerable
Developer David Poll discovered that a vulnerability in the Facebook SDK for Android grants specially crafted Android apps unauthorised access to the smartphone owner's Facebook account. Apps such as foursquare use the SDK as a convenient way of reading users' Facebook profiles or posting photos to their walls; usually, this requires additional permissions to be requested from the user.
Once those permissions are granted, the app receives an access token from the Facebook server that, until revoked, enables it to perform the requested actions. Poll found that, with the required permissions in place, the Facebook SDK writes a URL that contains the token to a log file on the smartphone – and this log file is accessible by any app that has been given permission to "Read Sensitive Log Data" during installation.
As many Android users automatically confirm permission requests when installing apps, it shouldn't be difficult for attackers to obtain the required access. Using the stolen access token, a specially crafted app could then obtain any permissions that were granted to the token's legitimate app.
The developer discovered the vulnerability in mid-February and notified Facebook. The company responded promptly and removed the line of code that was responsible for the log file output from the SDK. However, this doesn't mean that the problem has been solved, as app developers will have incorporated the vulnerable version of the Facebook SDK into their apps. To prevent apps from disclosing their access tokens, all developers must, therefore, individually update their apps with the corrected version of the SDK and re-deploy it as an update through Google Play (formerly known as the Android Market).
Poll says that Facebook asked him to wait before disclosing this issue until at least the major application developers who incorporate Facebook have responded – according to Facebook, this has now happened. Even if no apps which exploit the hole have been discovered to date, users should install any pending updates that may be available for their devices – the details of the vulnerability are now freely available and it is likely that attackers will attempt to exploit it soon.