Android App with Facebook API Copied and Insecurely Stored User Data
NEWS

Android App with Facebook API Copied and Insecurely Stored User Data

A recent report carried out by Nightwatch Cybersecurity indicates that a third-party Android app with Facebook API access was copying user data into storage outside of Facebook. Moreover, the data was stored insecurely in two locations.




Android App with Facebook API Copied User Data

The issue was reported to Facebook through their Data Abuse Bounty program, and the storage locations were secured in November last year. As the app itself, it was removed from Facebook but the Android version is still available in Google Play. The worst part is that the number of users affected by this breach is unknown.

The researchers came across the dubious Android application in Google Play store in September last year, few months after Facebook initiated its Data Abuse Bounty. The app claimed that it provided additional functionality to Facebook users not available through the platform. Purportedly, the app was downloaded more than 1, 000,000 times. After the researchers downloaded and analyzed it, they found that it was using Facebook APIs to access data for the logged in user.

Related:
Facebook just announced launching a Data Abuse Bounty program where people will be rewarded for reporting misuse of data by application developers
Too Little, Too Late: Facebook Launches Data Abuse Bounty

The app even copied the data to locations outside of Facebook. At least two of the locations – a Firebase database and an API server – didn’t protect the data properly and it was accessible without any authentication and without HTTPS, the report said. Needless to say, this loophole could allow attackers to easily download the user data accumulated by the app.

According to the report:

During our examination of the application, we located a Firebase database that the application was communicating with. The database was configured in test mode, which allowed anonymous public access by visiting the URL of “https://DATABASE.firebaseio.com/.json“.

Facebook’s Data Abuse Bounty program rewards people for reporting misuse of data by application developers. The Data Abuse Bounty is inspired by Facebook’s bug bounty program that the social network uses to uncover and address security issues.

The program is definitely “inspired” by the Cambridge-Analytica scandal and the following CubeYou events where quiz apps were used to harvest users’ information.

Nightwatch Cybersecurity’s discovery qualified under the terms of the Facebook Data Abuse Bounty Program and a bounty payment has been received, researchers said.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum for 4 years. Enjoys ‘Mr. Robot’ and fears ‘1984’. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles!

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...