Advisory ID: NCC-CSIRT-0122-0002
Summary: Facebook for Android is vulnerable to a permission issue which gives privilege to anyone with physical access to the android device to accept friend requests without unlocking the phone. The products affected include Versions 329.0.0.29.120 of Android OS. To solve the vulnerability, users are recommended to disable the feature from their device’s lock screen notification settings.
Vulnerable Platform(s): All Android 10 Versions 329.0.029.120
Threat Type: Bypass authentication, Unauthorized access, Information Disclosure.
Description: Facebook for Android is vulnerable to a permission issue which allows an attacker with physical access to the Android device to accept friend request without unlocking the phone. This bug works when the device’s lock screen settings is set to “Show sensitive content when locked”. The victim who set it would not know that the app also allows such sensitive actions to be performed when locked.
Consquences: The attacker will be able to add the victim as a friend and collect personal information of the victim, such as email, Date of Birth, check-ins, mobile phone number, address, pictures and other information that the victim may have shared, which would only be visible to his/her friends.
Impact: High
Probability: High
Solution: Users of Facebook for Android 10 are recommended to disable the feature that gives permissions to perform these sensitive actions while the device is locked, through the device’s lock screen notification settings.
References
- https://packetstormsecurity.com/files/163773/facebookandroid329-bypass.txt
- https://seclists.org/fulldisclosure/2021/Aug/10