Facebook - Shutterstock - © Pan Xunbin / Shutterstock.com

Facebook Pays Out For SSL Weakness In Android App

Facebook admits it wasn’t doing SSL right in its Android app

On by Thomas Brewster 0

Facebook has added extra protection to its Android app, after a researcher discovered images were still being sent over HTTP, even if HTTPS had been turned on.

SSL protection should provide adequate encryption, stopping snoops, or man-in-the-middle hackers, intercepting data. But Facebook was seen doing SSL in some places, but not in the sending and receiving of photos in the Android application.

Facebook fixes bad SSL

Facebook broken

Researcher Mohamed Ramadan discovered the problem by using the Wireshark traffic monitoring tool.

He reported the bug on 22 February and Facebook eventually responded by admitting it “wasn’t using HTTPS as it was supposed to”, according to a blog post from Ramadan.

Facebook ended up giving him $2000 in bug bounty funds. Ramadan has now promised to deliver more information on Facebook bugs he has discovered.

“It is time to update your Facebook apps right now, if you are a bit lazy like me and forget to update Android apps then update now,” he added.

It’s not uncommon for Android apps to have SSL flaws. Last year, over 1,000 vulnerable applications were uncovered.

Facebook confirmed the flaw was real and fixed, in an email statement sent to TechWeekEurope. It did not offer any more detail.

The social network has been gaining a lot of attention in the security community of late. It was criticised for not handing a bug bounty to one researcher, who discovered a flaw that let him post to anyone’s wall, including Facebook CEO Mark Zuckerberg’s timeline, without being a contact. They were rewarded by a community crowd fund instead, earning them over $10,000.

 What do you know about Internet security? Find out with our quiz!

Thomas Brewster
Author: Thomas Brewster
Security Correspondent, TechWeekEurope
Thomas Brewster Thomas Brewster Thomas Brewster
Techweekeurope for mobile devices
Android-App Google Currents App for iOS

Last comment

0 replies to Facebook Pays Out For SSL Weakness In Android App

Leave a Reply

  • Required fields are marked *,
    Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>