Facebook Faceoff

Flaw in Face.com iPhone App Would’ve Allowed Someone to Hack Your Facebook Account

Face.com has a little egg on its face.
cyborg Flaw in Face.com iPhone App Wouldve Allowed Someone to Hack Your Facebook Account

Cyborg Vision, a hack built with Face.com’s API.

Apps sure are fun, but you’ve got to watch where you’re leaving your Facebook Connect login credentials. Even the legit ones aren’t 100 percent foolproof.

For example: Just this week, Facebook acquired Israeli facial recognition startup Face.com for $100 million or thereabouts. So we’re not talking about some sloppy teenager throwing together Angry Birds ripoffs–and besides, iPhone apps are supposed to be given a thorough going-over before being allowed in the store, right?

And yet, security researcher Ashkan Soltani discovered something rather alarming while poking around the company’s KLIK iOS app, which deploys its fancy face technology to help you tag friends in photos in real time and requires would-be users to use Facebook Connect. In short, the weak spot allowed any Tom, Dick, or Harry to take over your Facebook account and, if you’d linked it, your Twitter account. It’s since been patched, but yikes.

Essentially, KLIK users’ Facebook and Twitter authentication keys were cached and stored on Face.com’s server insecurely, in such a way that an enterprising hacker could cherry-pick them. That, in turn, would allow him to take your Facebook account for a spin. As Mr. Soltani put it, “Yes, you could be ‘Zuck for a day’ and try to hijack @sweden to  ‘Out Troll‘ the last tweeter.”

That also means access to your private photos which–thanks to that snazzy facial recognition technology that makes KLIK possible–would give this hypothetical villain the means to identify your friends as they stroll through Grand Central Terminal.

Sounding a little chagrined about the whole affair, Face.com’s spokesman told us that the flaw only existed for a matter of days and was fixed “within an hour” of being reported by Mr. Soltani. Nor were any accounts actually breached, other than the user who allowed Mr. Soltani to test his theory.

“The dev team took immediate action to resolve the issue and updated deployment procedues to prevent a similar issue from taking place again,” he said.

We’ve also reached out Facebook and Twitter for comment, and we’ll update if we hear back.

Now if you’ll excuse us, we’re off to do a little login maintenance.

Follow Kelly Faircloth on Twitter or via RSS. kfaircloth@observer.com