There's been a lot of attention around the Israeli facial recognition startup Face.com. They, amongst other things, make a mobile app called “KLIK” which lets users tag their friend’s faces in real-time, as they walk down the street. Just today, they announced that they’re being aquired by Facebook for $100M.
A few weeks ago, I noticed a different kind of excitement surrounding the startup. I found an extremely basic vulnerability in the which the app allows access to other user’s KLIK information, including private ‘authentication tokens’ (i.e keys) for user’s Facebook & Twitter accounts (KLIK relies on Facebook to use the app).
Face.com essentially allowed anyone to hijack a KLIK user’s Facebook and Twitter accounts to get access to photos and social graph (which enables 'face prints'), even if that information isn’t public.
Given the nature of the technology (facial recognition), the privacy concerns are significant. The above attack not only allows access to non-public photos, but also lets the attacker potentially manipulate the Face.com app to automatically ‘recognize’ anyone walking down the street (i.e just hijack Lady Gaga’s and get her ~11 million friends’ ‘face prints’).
In addition to accessing a potentially private data (i.e., if they had their photos, friends lists, or tweets set to ‘private’), the vuln allowed the attacker to hijack the account and post status updates / Tweets as that user. Since KLIK relies on Facebook connect, that means anyone that has used the app was vulnerable.
(Yes, you could be “Zuck for a day” and try to hijack @sweden to “Out Troll” the last tweeter.)
Hijacking Aldo’s account and posting a photo onto Facebook
Hijacking Aldo’s account and posting to Twitter
TECHNICAL DETAILS: Face.com was storing Facebook/Twitter OAUTH tokens on their servers insecurely, allowing them to be queried for *any user* without restriction. Specifically, once a user signed up for KLIK, the app would store their Facebook tokens on Face.com’s server for ‘safe keeping’. Subsequent calls to https://mobile.face.com/mobileapp/getMe.json returns the Facebook "service_tokens" for any user, allowing the attacker to access photos and post as that user. If the KLIK user has linked their Twitter account to KLIK App (say, to ‘tweet’ their photos à la Instagram), their 'service_secret' and 'service_token' was also returned.
In general, services that cache user tokens ‘in the cloud’ are exposing users to unnecessary risk, as made clear by the recent Tweetgif breach.
Big thanks to Aldo Cortesi for consenting to me hijacking his account and documenting the vulnerability.
NOTE: Since this was a vulnerability that could potentially reveal sensitive consumer information, I worked with Face.com, Facebook, and Twitter to make sure it was addressed before disclosing it. (Sorry kids, it's been patched).