In late December, just before Christmas, Facebook released the 1.1.2 version of the Facebook Camera app for iOS to address a vulnerability that allowed cybercriminals to hijack user accounts by launching man-in-the-middle attacks.
An attacker connected to the same wireless network as his victim could easily sniff the traffic and intercept account credentials, said Egyptian security researcher and chief executive of Attack-Secure Mohamed Ramadan, who found and reported the flaw to Facebook.
“The problem is the app accepts any SSL certification from any source even evil SSL certs and this enables any attacker to perform Man in The Middle Attack against anyone uses Facebook Camera App for iPhone,” Ramadan said.
“This means that the application doesn’t warn the user if someone in the same wireless network is trying to hijack his Facebook account. This vulnerability is very dangerous because we connect to wireless networks everywhere, we can use hotel wireless service or restaurants wireless service, etc.”
In order to demonstrate his findings, Ramadan configured a Burp Suite proxy to listen on port 8080. The proxy was able to capture the email address and the password entered when logging in to the Facebook Camera app.
For his findings, Facebook rewarded the researcher with $3000.
Ramadan advises Facebook Camera users to update their apps to the latest version in order to protect themselves against cybercriminal attacks that might leverage the vulnerability present in older variants.