ID: IRCNE2012061532
Date: 2012-06-20
According to "cnet", a hole in the Face.com mobile app KLIK has been closed after a researcher discovered that it could be used to hijack Facebook and Twitter accounts.
KLIK lets people tag faces in photos using Facebook, which recently acquired Israel-based Face.com. But Ashkan Soltani, a privacy and security researcher, found that it also allowed anyone to hijack a KLIK user's accounts on Facebook and Twitter to get access to photos that were private.
"In addition to accessing a potentially private data, the vuln allowed the attacker to hijack the account and post status updates / Tweets as that user," he wrote. "Since KLIK relies on Facebook connect, that means anyone that has used the app was vulnerable."
The problem arose because Face.com was storing Facebook and Twitter OAUTH authorization tokens on servers insecurely.
- 2