Do you use the Facebook Camera app on your iOS device regularly? You better check if you are using the updated version of the app since the old version allows hackers to access your account when you are using your device on a Wi-Fi network. Information regarding your email address and password will be stolen in the process.
This security loophole affects the Facebook Camera app before the December 21 update or versions below 1.1.2. This problem was first spotted by Egypt based security expert Mohamed Ramadan. He is also responsible for previously pointing out various security concerns for Apple, Google, and Etsy. The issue lies on the apps SSL certification which he says is too open. “The problem is the app accepts any SSL certification from any source, even evil SSL certifications and this enables any attacker to perform Man in The Middle Attack against anyone uses Facebook Camera App for IPhone. This means that the application doesn’t warn the user if someone in the same [Wi-Fi network] trying to hijack his Facebook account.”
Facebook has already addressed this concern by releasing an updated version of the app which is now in 1.1.2. A statement released by the company says “We applaud the security researcher who brought this bug to our attention for responsibly reporting the bug to our White Hat Program. We worked with the team to make sure we understood the full scope of the bug, which allowed us to fix it and upgrade the Camera application without any evidence that this bug was exploited in the wild. Users are only vulnerable if they are using an unsecured or untrusted public wireless network and an older version of the application. As always, we remind all users to only connect to networks they trust. Users can protect themselves by downloading the latest version of the Camera app. Due to the responsible reporting of this issue to Facebook, no one within the security community has evidence of account compromise using this bug. We have provided a bounty to the researcher to thank them for their contribution to Facebook Security.”