Authentication vulnerabilities are at the center of security issues faced by two of the web’s biggest companies this week. A German security firm showed that Google’s Android platform sends some authentication tokens as plain text. Similarly, Facebook is requiring many developers to update their apps to fix a problem with “leaking auth tokens” due to iframe authentication.
This week, a vulnerability was revealed involving how Google implemented its Google Apps for the Android platform. The BBC describes the Android issue:
More than 99% of Android phones are potentially leaking data that, if stolen, could be used to get the information they store online.
The data being leaked is typically used to get at web-based services such as Google Calendar.
The discovery was made by German security researchers looking at how Android phones handle identification information.
Deeper in, they explain the vulnerability, saying that basically the authentication token, which is effectively what tells the server who you are and that you’re logged in, is sometimes sent in plaintext. This means that someone who wrote a very simple packet sniffer could steal the login credentials of anyone on an unsecured wi-fi net with them. Very similar to how Firesheep worked, only the solution isn’t nearly as simple for users, since they’re effectively locked in to how Google makes the app. The vulnerability has been fixed in the latest version of Android, but almost no phones use that yet, so this affects almost every Android phone currently on the market.
Similarly, there was a major vulnerability revealed in the Facebook platform, also involving leaked authentication data. Facebook has been quick to force the fixing of it, going so far as to force developers to fix their apps or be banned. From TechCrunch’s article about it:
For a group of developers on Facebook’s platform, the clock is ticking.
Last night and into today, Facebook has been sending out notices to developers they believe have apps in violation of their policy against sending authentication data to third parties. Those developers have 48 hours to fix their apps or they risk being “subject to one of the enforcement actions” — read: being booted.
You may recall that all of this initially came up last week when Symantec wrote a blog post entitled “Facebook Applications Accidentally Leaking Access to Third Parties.” That post detailed how the company found close to 100,00 apps that were inadvertently leaking auth tokens due to the use of iframes for app authentication. As a result, Facebook responded with a blog post of their own noting that by September 1 of this year all apps must migrate to OAuth 2.0, ensuring encrypted access tokens.
This is another good reminder of the importance of securing our apps. Any vulnerabilities that can be caught at the platform level are important, but in the end security is up to every developer.