Facebook Login hijacking tool offered to black hat hackers
Facebook Login hijacking tool offered to black hat hackers

The world's largest social network rolled out the app update at the end of last year, but users have since discovered that the app requires permission to not only read SMS and MMS messages, but also to modify calendar events and send emails to guests without the owner's' knowledge.

Such has been the furore around this – which is perhaps not surprising considering the leaks of Edward Snowden and yesterday's Data Privacy Day, Facebook outlined their reasons for the access on the Facebook Mobile Apps.

“We realise that some of these permissions sound scary, so we'd like to provide more info about how we use them,” says a spokesperson. The web page goes onto detail what exactly Facebook does with owner data. The company reveals that adding a phone number to an account can allow them to confirm phone numbers automatically by sending the confirmation code via text message.

Reacting to the news, Kaspersky Lab senior security researcher David Emm said that it is clear that Facebook wants to go down this route to employ two-factor authentication but said that the timing couldn't have been much worse.

 “It would seem that this is needed to implement two-factor authentication on the device - in the words of one of their engineers, 'so we can automatically intercept login approvals SMS messages for people that have turned two factor authentication for their accounts, or for phone confirmation messages when you add a phone number to your Facebook account'”, Emm told SCMagazineUK.com.

“The logic is clear, but the key, it seems to me, lies in the word 'automatically'.  Surely the app doesn't need to do this automatically,” he added. “Facebook could simply prompt me to type in the code manually.  Or, at the very least, provide this option. 

“This may be a perfectly innocent feature but in the light of growing concerns about online privacy, such an option would help to allay people's fears.”