Rogue Facebook Apps Can Disable Security Settings

Security researchers also report that the social networks mobile app provides no SSL capabilities at all, leaving users vulnerable.

(click image for larger view)
Slideshow: Top 15 Facebook Apps For Business
Facebook may be adding HTTPS to its pages, enabling people to use SSL to encrypt their social networking sessions. But rogue applications apparently have the ability to turn it off.
That warning comes from Sean Sullivan, a security researcher at F-Secure. While browsing Facebook, he encountered spam that purported to show who had visited his profile -- functionality thats not actually available. Clicking on the spam led to a request to switch to a regular HTTP connection. Thereafter, HTTPS was disabled, even though hed set Facebook security to
use SSL
whenever possible.
I tested [this] several times, and each time I found an application that asked me to continue to a regular connection, my default Account Security settings reverted to HTTP, said Sullivan in a
blog post
.
Facebook is apparently working to address this issue. I have confirmation that Facebook is aware of the problem and making changes so that the system will remember your SSL preferences, according to a
blog post
from Randy Abrams, director of technical education for antivirus firm ESET North America.
But while Facebook is busy refining SSL for Web pages, apparently they have yet to extend encryption to mobile device users. Indeed, according to a
blog post
from Dan Wallach, an associate professor in the department of computer science at Rice University in Houston, a classroom experiment involving his Android smartphone and sniffing software found that numerous applications -- including ones that interface with Facebook and Google services -- use unencrypted traffic.
For starters, Facebook appears to be using no encryption for mobile device access, or any authentication stronger than username and password. My Facebook accounts Web settings specify full-time encrypted traffic, but this apparently isnt honored or supported by Facebooks Android app, he said. Furthermore, unlike Twitter, Facebook isnt doing anything like OAuth signatures, so it may be possible to inject bogus posts as well.
On the Google front, while Gmail and Google Voice traffic from Wallachs smartphone was encrypted, Google Calendar was not. An eavesdropper can definitely see your calendar transactions and can likely impersonate you to Google Calendar, he said.
On the other hand, he said that the free version of
Angry Birds
only transmitted the make of his phone to AdMob. But two other popular applications, the SoundHound music-finding app and the ShopSaavy barcode scanning tool, transmitted his actual GPS coordinates, which is something that neither needed to know, he said.
Unfortunately, said Wallach, Android currently lacks fine-grained controls for blocking GPS access -- using a VPN client wouldnt help. Instead, a fix might need to come in the form of an operating system enhancement. Ideally, Id like the Market installer to give me the opportunity to revoke GPS privileges for apps like these, he said.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Rogue Facebook Apps Can Disable Security Settings