Android App med Facebook API kopieres og usikker gemt brugerdata
NYHEDER

Android App med Facebook API kopieres og usikker gemt brugerdata

En nylig rapport udført af Nightwatch cybersikkerhed indikerer, at en tredjepart Android app med Facebook API adgang blev kopiere brugerdata i opbevaring uden for Facebook. Desuden, dataene blev lagret usikkert to steder.




Android App with Facebook API Copied User Data

The issue was reported to Facebook through their Data Abuse Bounty program, and the storage locations were secured in November last year. As the app itself, it was removed from Facebook but the Android version is still available in Google Play. The worst part is that the number of users affected by this breach is unknown.

The researchers came across the dubious Android application in Google Play store in September last year, few months after Facebook initiated its Data Abuse Bounty. The app claimed that it provided additional functionality to Facebook users not available through the platform. angiveligt, the app was downloaded more than 1, 000,000 gange. After the researchers downloaded and analyzed it, they found that it was using Facebook APIs to access data for the logged in user.

Relaterede:
Facebook annoncerede bare lancere en Data misbrug Bounty-program, hvor folk vil blive belønnet for at rapportere misbrug af data ved applikationsudviklere
For lidt, For sent: Facebook lancerer datamisbrug Bounty

The app even copied the data to locations outside of Facebook. At least two of the locations – a Firebase database and an API server – didn’t protect the data properly and it was accessible without any authentication and without HTTPS, hedder det i rapporten. Naturligvis, this loophole could allow attackers to easily download the user data accumulated by the app.

Ifølge rapporten:

During our examination of the application, we located a Firebase database that the application was communicating with. The database was configured in test mode, which allowed anonymous public access by visiting the URL of “https://DATABASE.firebaseio.com/.json“.

Facebook’s Data Abuse Bounty program rewards people for reporting misuse of data by application developers. The Data Abuse Bounty is inspired by Facebook’s bug bounty program that the social network uses to uncover and address security issues.

The program is definitely “inspired” by the Cambridge-Analytica scandal and the following CubeYou events where quiz apps were used to harvest users’ information.

Nightwatch Cybersecurity’s discovery qualified under the terms of the Facebook Data Abuse Bounty Program and a bounty payment has been received, forskerne sagde.

Milena Dimitrova

En inspireret forfatter og indhold leder, der har været med SensorsTechForum for 4 år. Nyder ’Mr. Robot’og frygt’1984’. Fokuseret på brugernes privatliv og malware udvikling, hun tror stærkt på en verden, hvor cybersikkerhed spiller en central rolle. Hvis almindelig sund fornuft giver ingen mening, hun vil være der til at tage noter. Disse noter senere kan blive til artikler!

Flere indlæg

Efterlad en kommentar

Din e-mail-adresse vil ikke blive offentliggjort. Krævede felter er markeret *

Frist er opbrugt. Venligst genindlæse CAPTCHA.

Del på Facebook Del
Loading ...
Del på Twitter Tweet
Loading ...
Del på Google Plus Del
Loading ...
Del på Linkedin Del
Loading ...
Del på Digg Del
Del på Reddit Del
Loading ...
Del på Stumbleupon Del
Loading ...