The latest update to Facebook’s mobile app has fixed a security flaw that could have seen users’ mobile phone bills suddenly increase.
The vulnerability made it possible for scammers to cause a denial-of-service attack on the device or run up the victim’s phone bill by transferring large amounts of data to and from the handset.
Researchers at a foundation in Argentina discovered the flaw, which lies in the way the app handles HTTP requests. As part the video playback process, the app’s HTTP server will accept requests from any client, making it vulnerable to attack.
“The application embeds a generic HTTP server component that is used as a caching proxy for playing video recordings. This server is misconfigured and accepts requests from any client, local or remote, allowing attackers to connect to it and use a victim’s device as an open proxy. As a result, among other things, an attacker could carry out various forms of denial of service attacks such as filling up the device’s storage or running up the subscriber’s data transfer limit over 3G or LTE networks,” the report said.
The update also fixes two other security flaws within the Facebook app, one that allows attackers to intercept video content and another that could leak audio recordings of chat messages. The latter issue was also present in the Facebook Messenger application for Android.
The Facebook app vulnerabilities were fixed with the release of version 220.127.116.11.14 earlier this month.