Android Facebook App Users: Patch Now

Facebook has fixed a bug in its Android app that left photos vulnerable to interception.

9 Android Apps To Improve Security, Privacy (click image for larger view)
Facebook apps for Android users: Ensure youve recently updated your Facebook app.
That warning comes via Egyptian security researcher Mohamed Ramadan, who disclosed Thursday that hed found an HTTPS bug in Facebooks Android app -- as well as Facebook Messenger -- that have now been patched by the social networks security team. The bug could be exploited by an attacker using Wireshark or another sniffing tool to intercept images being transmitted to Facebook.
According to Ramadans
security report to Facebook
, filed in February 2013, I found that the official Facebook Messenger and Facebook app for Android latest version are sending and receiving images using HTTP protocol and anyone on the same wireless network can sniff my traffic and view all images or even replace it with his own images.
As a result, when using a vulnerable version of one of the apps, if you are using a wireless network at cafe, hotel, airport, museum, disco, your friends wireless network or even your own wireless network ... an attacker can run cain and abel, Ettercap, SSLstrip or his own tool to poison the traffic and hijack ARP table and sniff your images and your private images and leak it online or send it to his friends, he said.
[ You may have more pressing concerns. See
Apple Hacker: Mobile Malware Threat Overrated
. ]
Facebooks use of HTTP for sending peoples images appeared to be an inadvertent programming error. For comparisons sake, Ramadan noted, Facebook apps for iOS were sending images using HTTPS, which would have prevented anyone from intercepting them using
sniffing tools
.
Accordingly, he recommended that all affected Android users update immediately, to protect their privacy. Dont be lazy, said Ramadan, who runs
Attack-Secure
, which offers smarter ethical hacking and penetration testing, including a ninja skills course.
Ramadans bug disclosure earned him $1,500 as part of
Facebooks bug bounty program
. Facebook later sweetened the payout by $500 for Ramadan alerting it to HTTPS problems in Facebook Messenger for Android. Both were rooted in the same code issues so we essentially treated the Messenger issues as part of the same report rewarded with the bounty, Facebooks security team told him.
That didnt mark Ramadans first appearance on
Facebooks White Hat Security wall of thanks
. Last year, for example, he earned $3,000 for informing Facebook of a critical vulnerability in its Facebook Camera app for iPhone. Hes also
spotted vulnerabilities
in BlackBerry apps, as well as on the websites of Adobe, GitHub, Google, Microsoft and others.
Attention on how websites transmit peoples personal information or potentially sensitive material -- such as photographs -- has been high since security researcher Eric Butler
published his Firesheep tool
in 2010. The Firefox plug-in allowed anyone to intercept the login information and other sensitive communications to sites such as Amazon, Facebook, Google and Twitter, for anyone connected to the same unsecured wireless network. While such data interception had long been possible using sniffing tools, Butlers plug-in drove most Web services to begin using HTTPS, at least for securing sensitive information such as login credentials.
Learn more about mobile security and other threats by attending the Interop conference track on
Risk Management and Security
in New York from Sept. 30 to Oct. 4.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Android Facebook App Users: Patch Now