Independent researcher Ashkan Soltani discovered that KLIK, which uses facial recognition technology to tag friends in photos, allowed access to other users’ KLIK information, including authentication tokens for the users’ Facebook and Twitter accounts.
“Face.com essentially allowed anyone to hijack a KLIK user’s Facebook and Twitter accounts to get access to photos and social graph (which enables 'face prints'), even if that information isn’t public”, Soltani wrote in a blog.
The vulnerability enabled an attacker to hijack the user’s Facebook and Twitter accounts and post updates and Tweets as that user, he warned.
“Face.com was storing Facebook/Twitter OAUTH tokens on their servers insecurely, allowing them to be queried for *any user* without restriction. Specifically, once a user signed up for KLIK, the app would store their Facebook tokens on Face.com’s server for ‘safe keeping’. Subsequent calls to https://mobile.face.com/mobileapp/getMe.json returns the Facebook ‘service_tokens’ for any user, allowing the attacker to access photos and post as that user. If the KLIK user has linked their Twitter account to KLIK app (say, to ‘tweet’ their photos à la Instagram), their 'service_secret' and 'service_token' was also returned”, he explained.
Soltani said he contacted Face.com, Facebook, and Twitter about the vulnerability and it has been patched.