Face.com patched a vulnerability that could have allowed attackers to hijack the Facebook and Twitter accounts of its customers Facial recognition start-up Face.com patched a vulnerability in its KLINK iOS app that could have allowed attackers to hijack the Facebook and Twitter accounts of its users, according to Ashkan Soltani, the independent security researcher who claims to have found the flaw.KLIK is a camera app designed to allow users to easily tag friends in new photos by scanning their Facebook photo albums. It uses facial recognition technology developed by Face.com.In order to use the app, users need to grant it access to their Facebook accounts. However, the app can also be integrated with Twitter, where it can post messages on their behalf. SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe A simple vulnerability in the app allowed users to access each others’ Facebook and Twitter accounts, Soltani said in a blog post on Monday, the same day Face.com announced that it had been acquired by Facebook. The vulnerability was caused by Face.com storing Facebook and Twitter OAuth tokens — unique authentication keys — on its servers in an insecure way that made them accessible to anyone, Soltani said.With access to users’ OAuth tokens, an attacker could abuse the KLIK app’s permissions on their accounts. This includes the ability to access their private photos and friend lists or to post status updates and tweets in their names. Since the vulnerability affected facial recognition technology, the privacy implications were significant, Soltani said. An attacker could hijack a popular user’s account — like Lady Gaga’s, had she used KLINK — and build face prints for their millions of Facebook friends. Then they could match those in real time to people walking down the street.“Since this was a vulnerability that could potentially reveal sensitive consumer information, I worked with Face.com, Facebook, and Twitter to make sure it was addressed before disclosing it,” Soltani said.“We can confirm that on Friday, June 15th, a security vulnerability was pointed out to us,” a Face.com spokesman said via email. “The problem was resolved within an hour after being reported and the issue is now fixed. No users were affected, nor was any private information disclosed.” Related content feature Mastercard preps for the post-quantum cybersecurity threat A cryptographically relevant quantum computer will put everyday online transactions at risk. Mastercard is preparing for such an eventuality — today. By Poornima Apte Sep 22, 2023 6 mins CIO 100 Quantum Computing Data and Information Security feature 9 famous analytics and AI disasters Insights from data and machine learning algorithms can be invaluable, but mistakes can cost you reputation, revenue, or even lives. These high-profile analytics and AI blunders illustrate what can go wrong. By Thor Olavsrud Sep 22, 2023 13 mins Technology Industry Generative AI Machine Learning feature Top 15 data management platforms available today Data management platforms (DMPs) help organizations collect and manage data from a wide array of sources — and are becoming increasingly important for customer-centric sales and marketing campaigns. By Peter Wayner Sep 22, 2023 10 mins Marketing Software Data Management opinion Four questions for a casino InfoSec director By Beth Kormanik Sep 21, 2023 3 mins Media and Entertainment Industry Events Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe