egzthunder1 · Apr 13, 2012 at 10:00 am

Major FaceBook SDK Vulnerability… Run for the Hills!

There are times when we decide to take on news that relate more to security than anything else. After all, one of the fun things about being developers and hackers is security research. The dance usually goes somewhat like this: poke around, find a hole, try to exploit it by formulating a theory, generate a PoC (proof of concept) app to test your theory, have some laughs and invite some friends over for beer, and report it to the code developer to have it fixed. This is the way that, most times anyways, this works out. The code ends up fixed in a somewhat short time frame (depending on severity of course) and life and the world keeps going about business as usual. However, what happens when the code being fixed is code that is used as the building block and foundation of several thousands of apps with no way to push the “fix” into the developed apps? XDA Forum Member vvieux pointed us to a rather disturbing discovery made by the good people at Parse, more specifically David Poll.

Without going too much into the specifics, it looks like David was playing around with the Facebook SDK to get it added as part of Parse’s Android SDK. While playing around with code and some of its output, he realized that there was a line that was showing up in his logs which contained the following wording: “access_token”, followed by the token itself. He found it somewhat strange as this popped up every time the app he was working on would try to log into Facebook. This was recorded as part of the logcat in the device itself. Now, if there is one thing that we learned out of the logcat from previous exploits is that the logcat is fully accessible via device, and it is not necessarily restricted to a USB connection and a computer. At this point in time, David decided to see if the log could be accessed through the device itself and more importantly, if this information would show up. By installing Catlog from the Play Store, he sadly found this to be the case, his access token was slapped right in the middle of the log, in plain English, clear as daylight. In fact, any app with permissions to “Read Sensitive Log Data” has access to this information. So, he created a PoC to try and see if he could snag the token and use it to grab information out of a Facebook profile. Needless to say, thanks to the graph API Explorer his theory was proven and 100% effective and repeatable. So, he did what anyone with good morals would have done. Kept the information safe and secure and contacted Facebook right away.

In a matter of a day, the company had fixed the hole, but according to David, the issue went far deeper than that. The Facebook SDK is integrated into thousands of apps, which allows for some of your favorite features on games such as Draw Something, where you can share your stuff via Facebook. This is a major issue due to the fact that even if Facebook updated the SDK, the applications using it will need to be manually updated by the developers as the SDK cannot update itself once it is integrated into the app. According to David’s blog, most major software makers have already patched this by using the updated SDK, but there are literally thousands of apps and developers out there, which are likely not up to date, which means that if you have them installed, you are exposing your own Facebook information and likely handing it in a silver platter for anyone capable of making something to remotely read a logcat.

Having said that, there is hope at the end of the tunnel. There is an app in the Play Store called Facebook SDK Checker, released by vvieux, which will help you determine if your FB-integrated apps are at risk or not. It is probably worth taking this for a spin and removing any app that has this vulnerability until a fix has been implemented on it. One thing that you could do if you want to be part of the solution, contact the developer of any app that you find with this vulnerability and let him/her know that this is a serious issue that needs to be fixed. Spreading the word on something like that is the best way to prevent anyone from exploiting this any further.

A final note, always be weary of what you install on your device and make sure that you understand the potential implications that certain permissions can bring along.

Thanks for reading.

You can find more information in Parse’s blog as well as the original thread on xda, which contains a link for FB SDK Checker as well as a link to its source.

Want something published in the Portal? Contact any News Writer.

[Thanks vvieux for the tip!]


Want something on the XDA Portal? Send us a tip!


egzthunder1 is an editor on XDA-Developers, the largest community for Android users. I have been an active member of xda-developers since 2005 and have gone through various roles in my time here. I am Former Portal Administrator, and currently part of the administrator team while maintaining my writer status for the portal. In real life, I am a Chemical Engineer turned Realtor in the Miami area. View egzthunder1's posts and articles here.
Mario Tomás Serrafero · Jul 29, 2015 at 12:10 pm · 1 comment

OnePlus 2 vs Moto X Style: Which is The Better Flagship?

Two big industry names have announced their newest flagship phones within the past few days. Both have also promised great performance for a cheap price, and now that we know the specifications and details about both the Moto X Style and the OnePlus 2, we can begin planning our next purchase and debating which one is better. So, judging from everything we know, which phone is more impressive?

Mathew Brack · Jul 29, 2015 at 10:35 am · 2 comments

Making Your Own Xposed Modules Is Easier Than You Think

Close to the heart of XDA is the Xposed Framework by Rovo89. Most of us will have used it but you may feel that the module repository is missing something. We have the solution with several guides aimed at getting you started to build your own modules, something that may be daunting but can open an entire new field of development with a little time and effort.     Where better to start than at the beginning? Rovo89 has created a straight forward tutorial for getting started with development for Xposed....

Jimmy McGee · Jul 29, 2015 at 06:00 am · 2 comments

ZenFone 2 Lolliflash and ZenPower Giveaway!

We recently did an in-depth review of the Asus Zenfone 2 but one of the things people may not be aware of is that ASUS has actually created a line of accessories to compliment the ZenFone, or any other Android device. The Lolliflash is a Lollipop-shaped external flash and the ZenPower is a thin 10,000mAh external battery. In today's video, Jordan shows off the Lolliflash and the ZenPower Accessories. Additionally, ASUS and XDA have teamed up to give away 5...