A recent report carried out by Nightwatch Cybersecurity indicates that a third-party Android app with Facebook API access was copying user data into storage outside of Facebook. Moreover, the data was stored insecurely in two locations.
Android App with Facebook API Copied User Data
The issue was reported to Facebook through their Data Abuse Bounty program, and the storage locations were secured in November last year. As the app itself, it was removed from Facebook but the Android version is still available in Google Play. The worst part is that the number of users affected by this breach is unknown.
The researchers came across the dubious Android application in Google Play store in September last year, a few months after Facebook initiated its Data Abuse Bounty. The app claimed that it provided additional functionality to Facebook users not available through the platform. Purportedly, the app was downloaded more than 1, 000,000 times. After the researchers downloaded and analyzed it, they found that it was using Facebook APIs to access data for the logged-in user.
The app even copied the data to locations outside of Facebook. At least two of the locations – a Firebase database and an API server – didn’t protect the data properly and it was accessible without any authentication and without HTTPS, the report said. Needless to say, this loophole could allow attackers to easily download the user data accumulated by the app.
According to the report:
During our examination of the application, we located a Firebase database that the application was communicating with.
Facebook’s Data Abuse Bounty program rewards people for reporting misuse of data by application developers. The Data Abuse Bounty is inspired by Facebook’s bug bounty program that the social network uses to uncover and address security issues.
The program is definitely “inspired” by the Cambridge-Analytica scandal and the following CubeYou events where quiz apps were used to harvest users’ information.
Nightwatch Cybersecurity’s discovery qualified under the terms of the Facebook Data Abuse Bounty Program and a bounty payment has been received, researchers said.