June 22, 2012 -
Israeli facial recognition firm Face.com has patched its mobile application due to a major vulnerability that allowed anyone to use its KLIK app to access a user’s social media accounts in order to obtain photographs, even if that data was not public.
Since the vulnerability dealt with facial recognition technology, the privacy implications were significant. According to Ashkan Soltani, the independent security researcher who found the flaw, a hacker could hijack a popular user’s Facebook or Twitter account if that popular user had elected to use the compromised Face.com application, and then the hacker could build face profiles of that popular user’s friends. The hacker could then manipulate the compromised Face.com application to automatically recognize anyone, even anonymous people walking down the street.
In addition to accessing potentially private data, such as photos, friend lists, and tweets flagged as “private”, the vulnerability allowed hackers to hijack accounts and post status updates and tweets as that user. Since the Face.com application relies upon Facebook Connect, that meant anyone that used the application was vulnerable.
“Since this was a vulnerability that could potentially reveal sensitive consumer information, I worked with Face.com, Facebook, and Twitter to make sure it was addressed before disclosing it,” Soltani said on his popular IT security blog.
Soltani announced the vulnerability on the same day that Facebook announced it had completed the acquisition of Face.com. Speculation on the purchase had been reported in the media, including BiometricUpdate.com since late May.
Is it necessary to put more software and legislative safeguards in place to guard against vulnerabilities in biometric applications?