grandeduc - Fotolia

Facebook APIs used by tens of thousands of malicious apps

News roundup: Researchers find tens of thousands of malicious apps use Facebook APIs and can access user data. Plus, AWS threatens to suspend Signal's use of the platform, and more.

Nearly 26,000 malicious apps currently use Facebook APIs, such as a login or messaging API, and have access to profile information.

Cybersecurity vendor Trustlook, headquartered in San Jose, Calif., said it identified 25,936 malicious apps abusing Facebook APIs by using one of its in-house tools to scan apps around the world, gather information and assign them risk scores. The malicious apps it discovered using Facebook APIs have access to the same user information as app developers -- specifically names, locations and email addresses.

"The Cambridge Analytica data-harvesting scandal was mainly a result of developers abusing the permissions associated with the Facebook Login feature," Trustlook explained in a blog post. "When people use Facebook Login, they grant the app's developer a range of information from their Facebook profile. Back in 2015, Facebook also allowed developers to collect some information from the friend networks of people who used Facebook Login. That means that while a single user may have agreed to hand over their data, developers could also access some data about their friends. Needless to say, this realization among Facebook users has caused a huge backlash."

"We are not saying that 25,936 apps are doing the same thing that led to the Cambridge Analytica issue," a Trustlook spokesperson told SearchSecurity. "We are simply saying that these apps, that our system has determined to be malicious, are using Facebook services."

Trustlook said that it scores the apps it scans on a scale from 1 to 10, with a score of 10 representing the highest risk.

"The score is based on our dynamic analysis of the app," the Trustlook spokesperson explained. "That is, what the app does when it runs in our cloud. A malicious app (with a score above 7) might be doing things such as capturing pictures and audio when the app is closed, or making an unusually large amount of network calls. There are hundreds of vectors and behaviors that we look at when assessing risk."

Facebook APIs are not the only company APIs that are used by malicious apps, though.

"Twitter, LinkedIn, Google, and Yahoo offer similar options to developers, and thus their user data faces similar exposure," Trustlook said in its blog post. "All of these companies need to remain diligent about what user information is being granted to apps."

Facebook fired employee for privileged data abuse

It was also reported this week that Facebook fired an employee in the security group for misusing privileged data access. Facebook fired a security engineer who allegedly took advantage of his position to access information he then used to stalk women online, the social media giant confirmed to NBC News Tuesday.

On Sunday, Jackie Stokes, founder of Spyglass Security, tweeted about the Facebook employee in question, noting that she was able to confirm his employment through his social media profiles.

NBC News first reported on this on Tuesday and spoke to Facebook's CSO Alex Stamos, who said it was being investigated "as a matter of urgency."

Facebook later confirmed that the employee in question, who referred to himself as a "professional stalker" to Stokes, was fired.

Since then, Motherboard has reported that sources say multiple Facebook employees have been fired over the course of time for abusing their privileged access to user data, including stalking exes.

"It's important that people's information is kept secure and private when they use Facebook," Stamos told NBC News. "It's why we have strict policy controls and technical restrictions so employees only access the data they need to do their jobs -- for example to fix bugs, manage customer support issues or respond to valid legal requests. Employees who abuse these controls will be fired."

In other news

  • AWS threatened to suspend Signal's account if the company continues to use domain fronting. AWS wrote to the creator of the messaging app, Moxie Marlinspike, and said that domain fronting is a violation of its terms of service. Domain fronting is a technique used to protect messages sent over Signal from being tracked or censored in countries where Signal is banned. Its aim is to hide the real location of the endpoint of a connection. Marlinspike, who posted the letter sent to him from Amazon, was told not to use the Souq.com domain as part of Signal's domain fronting. "You do not have permission from Amazon to use Souq.com for any purpose. Any use of Souq.com or any other domain to masquerade as another entity without express permission of the domain owner is in clear violation of the AWS Service Terms," the letter read. "We will immediately suspend your use of CloudFront if you use third-party domains without their permission to masquerade as that third party." Google similarly banned Signal after it used domain fronting, though the moves from Google and Amazon have come under criticism from digital rights activists.
  • Medical devices made by Becton, Dickinson and Company (BD), the medical technology company headquartered in Franklin Lakes, N.J., could potentially expose patient records through the Key Reinstallation Attack (KRACK) vulnerability. KRACK, which was originally discovered in October 2017, is a flaw in the Wi-Fi Protected Access 2 (WPA2) protocol that affects Wi-Fi devices. In its security bulletin, BD said it is "monitoring the developing situation with a recently disclosed set of vulnerabilities found in the WPA2 protocol affecting confidentiality, integrity, and availability of communication between a Wi-Fi access point and a Wi-Fi enabled client such as a computer, phone, Wi-Fi base stations, and other gear, even if the data is encrypted. This is NOT a BD-specific vulnerability, but could affect any Wi-Fi devices that use the WPA2 protocol." BD products, including its medical supply and management systems -- such as BD Alaris Gateway Workstation, Pyxis Anesthesia ES and several others -- are all affected by the KRACK vulnerability. BD released fixes and third-party vendor mitigations in response.
  • Microsoft has patched a critical flaw in the Windows Host Compute Service Shim library (hcsshim). The open source container library was introduced in early 2017, and the Shim version is used in the Docker Engine project. The vulnerability enables remote code execution and, according to the Microsoft security update, occurs when hcsshim "fails to properly validate input while importing a container image. To exploit the vulnerability, an attacker would place malicious code in a specially crafted container image which, if an authenticated administrator imported (pulled), could cause a container management service utilizing the Host Compute Service Shim library to execute malicious code on the Windows host." Microsoft released the patch this week and Michael Hanselmann, the security researcher based in Switzerland who discovered the flaw, will release the technical details in a proof of concept later this month.

Dig Deeper on Application and platform security