Face.com's KLIK mobile camera app, which allows users to tag their friends in Facebook photos, was recently updated to patch a vulnerability that was uncovered by independent security researcher Ashkan Soltani.
In a blog post, Soltani explains that the flaw allowed anyone to hijack a KLIK user's Facebook and Twitter accounts to get access to their photos. "In addition to accessing a potentially private data (i.e., if they had their photos, friends lists, or tweets set to 'private'), the vuln allowed the attacker to hijack the account and post status updates / Tweets as that user," Soltani writes. "Since KLIK relies on Facebook connect, that means anyone that has used the app was vulnerable."
"The vulnerability was related to the fact that Face.com was storing Facebook and Twitter's OAUTH authorization tokens in a way that anyone could query the details for any KLIK user without restriction, Soltani said," writes PCMag.com's Fahmida Y. Rashid. "OAUTH is an open standard for authorization which allows users to share their information stored on one site with another site."
"Luckily for Face.com, the vulnerability was publicized after it was fixed," writes Wired's David Kravets. "But users should be aware. Anytime you grant access to your Facebook, Google or Twitter accounts to an outside app, there’s always a hazard that your accounts could be at risk. Today might be a good day to go review which apps you have given permissions to, and which you no longer use."