Ο Mohamed Ramadan, a security researcher from Attack Secure, identified two vulnerabilities in Facebook apps for Android.
One of the vulnerabilities affects the versions of the applications Facebook and Facebook Messenger always for Android. The security gap allows hackers to steal them token access and through them to gain access to the accounts.
In accordance with Ramadan , the attacker should simply send a message to the victim that contains an attachment - or link of any type, video, document or even photos.
When the user downloads the attached file, Facebook access_token is registered in the Android logcat, which is the Android logging system (logs) that provides a system for debugging the system.
This means that any Android application you have installed on the smartphone can obtain your access token, and indirectly your Facebook account.
"Whenever usesτε την εφαρμογή Facebook ή το Facebook Messenger app να κατεβάσετε archives from the messages, your access_token will be leaked and any application, even non-malicious ones, can take these tokens and hack your Facebook account,” the researcher said.
For this vulnerability, the researcher took from Facebook as a reward for the 2500 dollar finding.
The second vulnerability he discovered affects Facebook Manager as well as Pages for Android. The vulnerability is similar to the first.
To demonstrate vulnerability to applications o Ramadan made a demo and recorded it on video.