Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Rogue Facebook Apps Can Disable Security Settings

Security researchers also report that the social network's mobile app provides no SSL capabilities at all, leaving users vulnerable.

Top 15 Facebook Apps For Business
(click image for larger view)
Slideshow: Top 15 Facebook Apps For Business

Facebook may be adding HTTPS to its pages, enabling people to use SSL to encrypt their social networking sessions. But rogue applications apparently have the ability to turn it off.

That warning comes from Sean Sullivan, a security researcher at F-Secure. While browsing Facebook, he encountered spam that purported to show who had visited his profile -- functionality that's not actually available. Clicking on the spam led to a request to switch to a regular HTTP connection. Thereafter, HTTPS was disabled, even though he'd set Facebook security to use SSL "whenever possible."

"I tested [this] several times, and each time I found an application that asked me to 'continue' to a 'regular connection,' my default Account Security settings reverted to HTTP," said Sullivan in a blog post.

Facebook is apparently working to address this issue. "I have confirmation that Facebook is aware of the problem and making changes so that the system will remember your SSL preferences," according to a blog post from Randy Abrams, director of technical education for antivirus firm ESET North America.

But while Facebook is busy refining SSL for Web pages, apparently they have yet to extend encryption to mobile device users. Indeed, according to a blog post from Dan Wallach, an associate professor in the department of computer science at Rice University in Houston, a classroom experiment involving his Android smartphone and sniffing software found that numerous applications -- including ones that interface with Facebook and Google services -- use unencrypted traffic.

For starters, Facebook appears to be using no encryption for mobile device access, or any authentication stronger than username and password. "My Facebook account's Web settings specify full-time encrypted traffic, but this apparently isn't honored or supported by Facebook's Android app," he said. Furthermore, unlike Twitter, "Facebook isn't doing anything like OAuth signatures, so it may be possible to inject bogus posts as well."

On the Google front, while Gmail and Google Voice traffic from Wallach's smartphone was encrypted, Google Calendar was not. "An eavesdropper can definitely see your calendar transactions and can likely impersonate you to Google Calendar," he said.

On the other hand, he said that the free version of Angry Birds only transmitted the make of his phone to AdMob. But two other popular applications, the SoundHound music-finding app and the ShopSaavy barcode scanning tool, transmitted his actual GPS coordinates, which is something that neither needed to know, he said.

Unfortunately, said Wallach, Android currently lacks fine-grained controls for blocking GPS access -- using a VPN client wouldn't help. Instead, a fix might need to come in the form of an operating system enhancement. "Ideally, I'd like the Market installer to give me the opportunity to revoke GPS privileges for apps like these," he said.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
A Startup With NSA Roots Wants Silently Disarming Cyberattacks on the Wire to Become the Norm
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/11/2021
Cybersecurity: What Is Truly Essential?
Joshua Goldfarb, Director of Product Management at F5,  5/12/2021
3 Cybersecurity Myths to Bust
Etay Maor, Sr. Director Security Strategy at Cato Networks,  5/11/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google Maps is taking "interactive" to a whole new level!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-18
RabbitMQ installers on Windows prior to version 3.8.16 do not harden plugin directory permissions, potentially allowing attackers with sufficient local filesystem permissions to add arbitrary plugins.
PUBLISHED: 2021-05-18
There's a flaw in libxml2 in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by an application linked with libxml2 could trigger a use-after-free. The greatest impact from this flaw is to confidentiality, integrity, and availability.
PUBLISHED: 2021-05-18
A flaw was found in the Red Hat Ceph Storage RGW in versions before 14.2.21. When processing a GET Request for a swift URL that ends with two slashes it can cause the rgw to crash, resulting in a denial of service. The greatest threat to the system is of availability.
PUBLISHED: 2021-05-18
TCP firewalls could be circumvented by sending a SYN Packets with other flags (like e.g. RST flag) set, which was not correctly discarded by the Linux TCP stack after firewalling.
PUBLISHED: 2021-05-18
A flaw was found in OpenLDAP. This flaw allows an attacker who can send a malicious packet to be processed by OpenLDAP’s slapd server, to trigger an assertion failure. The highest threat from this vulnerability is to system availability.