A year after Facebook received a bug report regarding a loophole in its app architecture, the vulnerability remains exploitable, says the researcher who discovered this potential threat to user privacy.

See Also: Mobile Banking Success Criteria: Scalability, Outsourced & in-the-Cloud

Vivek Bansal, a Delhi-based app developer, discovered a loophole in Facebook's third-party app integration system that can be maliciously exploited by apps interacting with Facebook. Through this exploit, apps can post to a user's Facebook wall and, on behalf of the user, to their friend's walls - without the user's consent. Bansal says that this flaw remains exploitable as of this writing, and is a potential privacy concern for all Facebook users.

In response to Information Security Media Group's queries, Facebook says that this behavior was the result of a system that allowed apps to offer users the ability to interact with Facebook without having to ask for personal information like passwords. Facebook says it has countered this loophole with automated systems that monitor for abuse.

But Bansal says this is not good enough. "The flaw is still exploitable, and Facebook was not able to detect numerous posts I made to a test account, even after their 'patch.'"

Security and privacy experts say the onus is now on the users to only enable apps from trusted, reputed sources. Unfortunately, many times the user may not be the best judge.

How Exploit Was Found

Bansal discovered this issue in July 2013, while working with Facebook's APIs and Software Development Kit for an application build. He reported the vulnerability to Facebook in November 2013. "Facebook replied to me within five days, acknowledging my efforts," says Bansal, who received a bug bounty of $2000 for his disclosure and was added to Facebook's White Hat Hall of Fame.

Facebook requested Bansal withhold publishing the information until it could patch the bug. On January 15, 2014, Facebook told Bansal the bug had been patched and he could publish his findings. Bansal then posted a proof of concept video of the successful exploit. About 11 months later, Bansal discovered that the vulnerability was still present and exploitable using the same technique as before.

How It Works

Facebook provides access tokens to third-party apps for integration with the Facebook backend. Bansal demonstrates in his video and blog how these access tokens can be subverted even if Facebook identifies them as granting access only to basic information - a user's public profile, and access to the user's friend list. An app can be designed to post on any user's wall, even if it has received only basic, read-only permissions from the user.

In response to Bansal's disclosure last year, Facebook said that this behavior was the result of the SSO flow implementation that Facebook uses for seamless integration with their platform. To prevent the entire user session being disclosed to a native app by requiring the user to explicitly log-in inside the app, Facebook decided on a trade-off whereby these SSO tokens are allowed to establish a user's identity.

Facebook Response

Facebook says that this discovered loophole makes it possible for a malicious native app to make posts of behalf of its users without their consent. Facebook is now counting on a number automated, behavior-based monitoring systems to safeguard against such abuse.

Auto posting is against Facebook's terms of use. Such apps, when identified, are disabled and app stores are contacted to remove the apps. Facebook tells ISMG that it created something called 'the native share dialog' last year to address this issue. While this system is widely used, there are still potential loopholes. Facebook adds that in the future, it hopes to transition to a system whereby the Facebook mobile app acts as an intermediary for such interactions.

"This more a reactive solution, than a proactive one," says Tamaghna Basu, a Bengaluru-based independent security researcher and trainer. "The question is how efficient is the fix, and is that solution satisfactory for end-users?"