Face.com App Allowed Facebook, Twitter Account Hijacking
By David Kravets
June 19, 2012 |

Israel-based facial recognition maker Face.com was the internet’s flavor for a day Monday when it announced it was acquired by Facebook. Rumors put the price in the $50 to $100 million range.

But what was not widely known was that Face.com’s mobile app, KLIK, which allows real-time face-tagging of Facebook pictures, recently suffered a giant vulnerability. A prominent researcher found that the app allowed anyone to hijack any KLIK user’s Facebook and Twitter accounts.

Independent researcher Ashkan Soltani said the app granted access to KLIK users’ private authentication tokens for users’ Facebook and Twitter accounts.

Soltani disclosed the revelation on his blog Monday and said he had shared the vulnerability with the companies before announcing it. It was patched before he publicized it on his site, he said.

Here’s what he found:

CONTINUE: [link to www.wired.com]