A new Facebook flaw reportedly allows a hacker to stop mobile users from being able to disconnect a mobile app connected to the social network. In other words, once you give a mobile app permission to access your information on Facebook, it is allegedly impossible for you to revoke those rights on your mobile device.
If you try via Facebook’s own app or the mobile website, you’ll be presented with one of two rather generic errors:
F**k it, we'll do it live!
Our biggest ever edition of TNW Conference is fast approaching! Join 10,000 tech leaders this May in Amsterdam.
The issue was discovered by MyPermissions, a startup that helps you track which connected apps have access to your personal information on social networks and Web-based services. At first, MyPermissions co-founder and CEO Olivier Amar uncovered more than 15 apps that could not be disconnected or removed from Facebook mobile, but after digging deeper, he realized anyone could replicate run a script to replicate the problem.
The first question we asked Amar was whether an affected user could still remove the app on Facebook.com by going to Your Apps like so:
“Yes, there’s no question about it,” Amar said. It’s possible the vulnerability exists on the desktop as well, but if it does, it’s only limited to desktop apps. “We didn’t test if we could exploit the vulnerability on desktop,” Amar told TNW.
MyPermissions offers the following example of a scenario where this could be exploited:
Think about it like this: you download an app that promises to do one thing, but actually comes from a hacker who wants to seriously invade your privacy by mining your data. Given the right coding, this developer could trigger the same effect, basically making it impossible for a user to disconnect this malware app and revoke its permission to access your personal information.
Amar told us that MyPermissions stumbled on the vulnerability while stress testing a new version of its own app. He explained that anyone could exploit this particular flaw as it is relatively easy to do so.
“If the mobile app uses Facebook Connect, we were able to disable it,” Amar told TNW. “Doesn’t matter who wrote it. When we were testing, we could literally take down 250 apps at a time.”
So there are two problems here. Firstly, a hacker could create multiple malicious apps, convince users to install them and connect their Facebook account, after which they could then disable the permissions page. The second is that a hacker could target existing apps and make them impossible to remove. In either case though, users can still go to Facebook.com and revoke the permissions that way.
MyPermissions says this morning it reached out to Facebook, which is “taking care of this promptly.” Facebook told the startup to submit the flaw via its White Hat program, which Amar told us MyPermissions has already done.
We have also contacted Facebook for more information but the company declined to comment as the issue is currently under investigation. Facebook dill tell us, however, that it hasn’t been able to reproduce the behavior yet and is in contact with MyPermissions to investigate the claims. We will update this article based on the company’s findings.
Top Image Credit: Brendan Smialowski/Getty Images