Vulnerabilities / Threats

01:36 PM

Android Facebook App Users: Patch Now

Facebook has fixed a bug in its Android app that left photos vulnerable to interception.

9 Android Apps To Improve Security, Privacy
9 Android Apps To Improve Security, Privacy
(click image for larger view)
Facebook apps for Android users: Ensure you've recently updated your Facebook app.

That warning comes via Egyptian security researcher Mohamed Ramadan, who disclosed Thursday that he'd found an HTTPS bug in Facebook's Android app -- as well as Facebook Messenger -- that have now been patched by the social network's security team. The bug could be exploited by an attacker using Wireshark or another sniffing tool to intercept images being transmitted to Facebook.

According to Ramadan's security report to Facebook, filed in February 2013, "I found that the official Facebook Messenger and Facebook app for Android latest version are sending and receiving images using HTTP protocol and anyone on the same wireless network can sniff my traffic and view all images or even replace it with his own images."

As a result, when using a vulnerable version of one of the apps, "if you are using a wireless network at cafe, hotel, airport, museum, disco, your friend's wireless network or even your own wireless network ... an attacker can run cain and abel, Ettercap, SSLstrip or his own tool to poison the traffic and hijack ARP table and sniff your images and your private images and leak it online or send it to his friends," he said.

[ You may have more pressing concerns. See Apple Hacker: Mobile Malware Threat Overrated. ]

Facebook's use of HTTP for sending people's images appeared to be an inadvertent programming error. For comparison's sake, Ramadan noted, Facebook apps for iOS were sending images using HTTPS, which would have prevented anyone from intercepting them using sniffing tools.

Accordingly, he recommended that all affected Android users update immediately, to protect their privacy. "Don't be lazy," said Ramadan, who runs Attack-Secure, which offers "smarter ethical hacking and penetration testing," including a "ninja skills course."

Ramadan's bug disclosure earned him $1,500 as part of Facebook's bug bounty program. Facebook later sweetened the payout by $500 for Ramadan alerting it to HTTPS problems in Facebook Messenger for Android. "Both were rooted in the same code issues so we essentially treated the Messenger issues as part of the same report rewarded with the bounty," Facebook's security team told him.

That didn't mark Ramadan's first appearance on Facebook's White Hat Security wall of thanks. Last year, for example, he earned $3,000 for informing Facebook of a critical vulnerability in its Facebook Camera app for iPhone. He's also spotted vulnerabilities in BlackBerry apps, as well as on the websites of Adobe, GitHub, Google, Microsoft and others.

Attention on how websites transmit people's personal information or potentially sensitive material -- such as photographs -- has been high since security researcher Eric Butler published his Firesheep tool in 2010. The Firefox plug-in allowed anyone to intercept the login information and other sensitive communications to sites such as Amazon, Facebook, Google and Twitter, for anyone connected to the same unsecured wireless network. While such data interception had long been possible using sniffing tools, Butler's plug-in drove most Web services to begin using HTTPS, at least for securing sensitive information such as login credentials.

Learn more about mobile security and other threats by attending the Interop conference track on Risk Management and Security in New York from Sept. 30 to Oct. 4.

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
Who Does What in Cybersecurity at the C-Level
Steve Zurier, Freelance Writer,  3/16/2018
The Case for Integrating Physical Security & Cybersecurity
Paul Kurtz, CEO & Cofounder, TruSTAR Technology,  3/20/2018
A Look at Cybercrime's Banal Nature
Curtis Franklin Jr., Executive Editor, Technical Content,  3/20/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.