Facebook Pays Out For SSL Weakness In Android App

Facebook has added extra protection to its Android app, after a researcher discovered images were still being sent over HTTP, even if HTTPS had been turned on.

SSL protection should provide adequate encryption, stopping snoops, or man-in-the-middle hackers, intercepting data. But Facebook was seen doing SSL in some places, but not in the sending and receiving of photos in the Android application.

Facebook fixes bad SSL

Researcher Mohamed Ramadan discovered the problem by using the Wireshark traffic monitoring tool.

He reported the bug on 22 February and Facebook eventually responded by admitting it “wasn’t using HTTPS as it was supposed to”, according to a blog post from Ramadan.

Facebook ended up giving him $2000 in bug bounty funds. Ramadan has now promised to deliver more information on Facebook bugs he has discovered.

“It is time to update your Facebook apps right now, if you are a bit lazy like me and forget to update Android apps then update now,” he added.

It’s not uncommon for Android apps to have SSL flaws. Last year, over 1,000 vulnerable applications were uncovered.

Facebook confirmed the flaw was real and fixed, in an email statement sent to TechWeekEurope. It did not offer any more detail.

The social network has been gaining a lot of attention in the security community of late. It was criticised for not handing a bug bounty to one researcher, who discovered a flaw that let him post to anyone’s wall, including Facebook CEO Mark Zuckerberg’s timeline, without being a contact. They were rewarded by a community crowd fund instead, earning them over $10,000.

What do you know about Internet security? Find out with our quiz!