Today, smartphone users are increasing day-by-day, in the meantime million of users use Facebook through their Android smartphone app.
BUT your Android FB apps could give unauthorized access of your account—an Egyptian security researcher Mohamed Ramadan found two vulnerabilities in Facebook app of Android that could allow an attacker to steal your FB access token that opens door to access your FB account.
The fact behind the vulnerability which could give access to your FB account is- Facebook access token expires never. Ramadan shows an example (he checked the stolen FB access token in Facebook graph explorer and found it expires never.)
Now have a look to vulnerabilities Ramadan found:
1. Ramadan found vulnerability in Facebook messenger & Facebook main app, he writes in his blog-an attacker needs to send an attachment like: a movie, doc, pdf, pic or any files that can be attached in Facebook messages, something like this through android app of Facebook. On click to download that attachment your Facebook access_token is leaked to android logcat which allows an android app to read and capture your Facebook access_token stealthy, that’s it you have been hacked.
2. Second vulnerability Ramadan found in the Facebook pages manager and it takes place though the same process like you see the first one above.
How to be safe?
Update your Android device Facebook apps, as the vulnerability has been patched by Facebook, but the vulnerability still inside your app until you update that.
In the meantime, vulnerabilities have been fixed by Facebook and he is rewarded $6,000 on the name of Bug-Bounty.
Also check out POC video: