Flash
Lost in speed
The older version of the app, pre-1.1.2 and released before December 21, has a security loophole. When used over WiFi networks, malicious hackers can tap the network and hijack Camera users’ accounts, picking up information like email addresses and passwords in the process.
The white-hat hacker who ID’d the problem is Mohamed Ramadan, an Egypt-based security researcher and trainer with Attack-Secure who has also found and reported vulnerabilities for Apple, Google, and Etsy — which apparently also had the same loophole in its iOS app. Ramadan tells us that the issue lied in the Camera app’s Secure Sockets Layer certification, which was too open.
He reported back to Fb, and this is what they replied:
“We applaud the security researcher who brought this bug to our attention for responsibly reporting the bug to our White Hat Program. We worked with the team to make sure we understood the full scope of the bug, which allowed us to fix it and upgrade the Camera application without any evidence that this bug was exploited in the wild. Users are only vulnerable if they are using an unsecured or untrusted public wireless network and an older version of the application. As always, we remind all users to only connect to networks they trust. Users can protect themselves by downloading the latest version of the Camera app. Due to the responsible reporting of this issue to Facebook, no one within the security community has evidence of account compromise using this bug. We have provided a bounty to the researcher to thank them for their contribution to Facebook Security.”
More on: Security Loophole In Facebook’s Camera App Allowed Hackers To Hijack Accounts Over WiFi [Confirmed] | TechCrunch