Establishing Digital Trust: Don't Sacrifice Security for Convenience
Facebook recently released version 1.1.2 of its Facebook Camera app for iOS, patching a vulnerability that enabled attackers to hijack user accounts if the app was being used over Wi-Fi.
"Versions pre-1.1.2 and releases before December 21 feature the vulnerability that was discovered by Mohamed Ramadan, an Egyptian security researcher with Attack-Secure," writes TweakTown's Trace Hagan. "The problem apparently resided in the SSL certification: 'The problem is the app accepts any SSL certification from any source, even evil SSL certifications and this enables any attacker to perform Man in The Middle Attack against anyone uses Facebook Camera App for IPhone. This means that the application doesn't warn the user if someone in the same [WiFi network] trying to hijack his Facebook account.'"
"In order to demonstrate his findings, the expert configured a Burp Suite proxy to listen on port 8080," writes Softpedia's Eduard Kovacs. "The proxy was easily able to capture the email address and the password he entered when logging in to the Facebook Camera app. For his findings, Facebook rewarded the researcher with $3,000. Ramadan advises Facebook Camera users to update their apps to the latest version in order to protect themselves against cybercriminal attacks that might leverage the vulnerability present in older variants."