Facebook is working frantically to fix a security flaw on its mobile application.
The flaw was discovered earlier this week by MyPermissions, an Israel-based startup that protects people’s information stored in the cloud.
MyPermissions chief executive officer and cofounder Olivier Amar accidentally discovered the hole when his 10-member software team begun running stress tests on Facebook’s mobile applications Thursday. Amar’s engineers found they were unable to remove apps they had downloaded — and couldn’t actually disconnect those apps’ permissions from the social networking site.
“All of a sudden we started to see that you couldn’t disconnect from Facebook. We thought it was something odd, so we contacted Facebook’s security team,” said Amar, a Montreal-born Canadian who launched his Tel Aviv-based startup in 2012.
“What we found is that Facebook could not shut down any of their systems with the software script we were using,” says Amar, who added that he hadn’t slept in nearly two days because of the frantic back-and-forth with Facebook’s “white hat” squad.
“It’s a pretty big deal,” Amar said.
Above: Error messages appear when you try to revoke an app’s permissions from Facebook if the app is using a malicious script.
Image Credit: MyPermissions
According to the MyPermissions blog, the flaw enables app makers to “make it impossible for you to revoke an app’s permission to access your information.” Ordinarily, Facebook allows you to revoke permission from apps that you no longer want or trust. With MyPermissions’ script, however, that revocation is impossible. If you try to revoke the app’s permission, you get an error screen (shown here in both iOS and Android versions).
Facebook is taking the vulnerability seriously. The company asked Amar for the script his engineers wrote, but he declined to give it to them.
Well, most of it.
“We more or less told them the basics of it,” he said, in what he characterized as a spirit of cooperation.
Facebook isn’t saying much about it. A Facebook spokesperson referred my queries to a company post on Hacker News that read:
“We first learned of the claim a few hours ago. We’ve been in touch with MyPermissions directly and are waiting to receive more information from them. At this point, we haven’t been able to reproduce the reported issue or validate the existence of a vulnerability.”
Facebook engineers told Amar they hoped to have the problem fixed by Friday.
Amar said his team — comprised mostly of software grunts with Israeli military and intelligence backgrounds — has yet to determine whether the security breach was related to a hardware or software bug.
Security experts said the breach warranted concern because malware could easily exploit the bug and install itself to steal user information when users log onto Facebook, Yahoo, Dropbox, or Spotify, for example.
MyPermissions raised over $1 million last year in venture funding. The mobile application manages and protects user data and how its shared by websites users visit. When users’ log-in information is synched to say, Pandora or Linkedin, MyPermission users are notified with an alert.
“We’ve been impressed with the Facebook guys,” Amar said. “They’re working very quickly.”