Vulnerabilities / Threats
12:20 PM

Rogue Facebook Apps Can Disable Security Settings

Security researchers also report that the social network's mobile app provides no SSL capabilities at all, leaving users vulnerable.

Top 15 Facebook Apps For Business
(click image for larger view)
Slideshow: Top 15 Facebook Apps For Business

Facebook may be adding HTTPS to its pages, enabling people to use SSL to encrypt their social networking sessions. But rogue applications apparently have the ability to turn it off.

That warning comes from Sean Sullivan, a security researcher at F-Secure. While browsing Facebook, he encountered spam that purported to show who had visited his profile -- functionality that's not actually available. Clicking on the spam led to a request to switch to a regular HTTP connection. Thereafter, HTTPS was disabled, even though he'd set Facebook security to use SSL "whenever possible."

"I tested [this] several times, and each time I found an application that asked me to 'continue' to a 'regular connection,' my default Account Security settings reverted to HTTP," said Sullivan in a blog post.

Facebook is apparently working to address this issue. "I have confirmation that Facebook is aware of the problem and making changes so that the system will remember your SSL preferences," according to a blog post from Randy Abrams, director of technical education for antivirus firm ESET North America.

But while Facebook is busy refining SSL for Web pages, apparently they have yet to extend encryption to mobile device users. Indeed, according to a blog post from Dan Wallach, an associate professor in the department of computer science at Rice University in Houston, a classroom experiment involving his Android smartphone and sniffing software found that numerous applications -- including ones that interface with Facebook and Google services -- use unencrypted traffic.

For starters, Facebook appears to be using no encryption for mobile device access, or any authentication stronger than username and password. "My Facebook account's Web settings specify full-time encrypted traffic, but this apparently isn't honored or supported by Facebook's Android app," he said. Furthermore, unlike Twitter, "Facebook isn't doing anything like OAuth signatures, so it may be possible to inject bogus posts as well."

On the Google front, while Gmail and Google Voice traffic from Wallach's smartphone was encrypted, Google Calendar was not. "An eavesdropper can definitely see your calendar transactions and can likely impersonate you to Google Calendar," he said.

On the other hand, he said that the free version of Angry Birds only transmitted the make of his phone to AdMob. But two other popular applications, the SoundHound music-finding app and the ShopSaavy barcode scanning tool, transmitted his actual GPS coordinates, which is something that neither needed to know, he said.

Unfortunately, said Wallach, Android currently lacks fine-grained controls for blocking GPS access -- using a VPN client wouldn't help. Instead, a fix might need to come in the form of an operating system enhancement. "Ideally, I'd like the Market installer to give me the opportunity to revoke GPS privileges for apps like these," he said.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: You should see what I wear on my work from home days!
Current Issue
The Changing Face of Identity Management
Mobility and cloud services are altering the concept of user identity. Here are some ways to keep up.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio

The cybersecurity profession struggles to retain women (figures range from 10 to 20 percent). It's particularly worrisome for an industry with a rapidly growing number of vacant positions.

So why does the shortage of women continue to be worse in security than in other IT sectors? How can men in infosec be better allies for women; and how can women be better allies for one another? What is the industry doing to fix the problem -- what's working, and what isn't?

Is this really a problem at all? Are the low numbers simply an indication that women do not want to be in cybersecurity, and is it possible that more women will never want to be in cybersecurity? How many women would we need to see in the industry to declare success?

Join Dark Reading senior editor Sara Peters and guests Angela Knox of Cloudmark, Barrett Sellers of Arbor Networks, Regina Wallace-Jones of Facebook, Steve Christey Coley of MITRE, and Chris Roosenraad of M3AAWG on Wednesday, July 13 at 1 p.m. Eastern Time to discuss all this and more.