Security hole in Face.com application discovered
Security consultant Ashkan Soltani has discovered a security hole in the KLIK iOS application from the face.com facial recognition service. Soltani publicised the hole, which would have allowed a user's Facebook and Twitter accounts to be hijacked, after it had been fixed.
KLIK is used for tagging, or labelling, faces in images. Soltani says he found a very basic hole in the application that allowed anyone to retrieve KLIK user information – including the authentication tokens for users' Facebook and Twitter accounts. Apparently, the tokens were stored on face.com's servers without much protection, granting attackers easy access to private account data such as photos and friend lists. The security expert says that it was also possible to hijack accounts and, for example, post status messages or tweets. Soltani added that, as KLIK requires a Facebook account, practically all users of the application would have been potential targets.
Face.com has declined to comment so far. The Israeli start-up was recently purchased by Facebook for an undisclosed sum and has gained increased media attention because of the acquisition. The company says that it processes several billion photos a month.