❤ Facebook security warning for 1M users: Scam apps stole login credentials



Meta has issued a Facebook security warning to around one million users that their login credentials may have been stolen by scam apps.

While most of the apps were Android ones, 47 of them were iOS apps found in Apple’s App Store …

Many apps and websites offer third-party login options, with the most common ones being:

  • Login with Facebook
  • Login with Google
  • Login with Apple

The intention behind these login methods is to make it quicker and easier to start using an app, by skipping the need to register an account. However, a bad actor can also use this approach to steal your credentials.

Engadget reports that this is what a whole bunch of scam apps have done with the “Login with Facebook” option.

Meta is warning 1 million Facebook users that their account information may have been compromised by third-party apps from Apple or Google’s stores. In a new report, the company’s security researchers say that in the last year they’ve identified more than 400 scammy apps designed to hijack users’ Facebook account credentials.

According to the company, the apps are disguised as “fun or useful” services, like photo editors, camera apps, VPN services, horoscope apps, and fitness tracking tools. The apps often require users to “Log In with Facebook” before they can access the promised features. But these login features are merely a means of stealing Facebook users’ account info. And Meta’s Director of Threat Disruption, David Agranovich, noted that many of the apps Meta identified were barely functional.

Facebook security warning

If you have used one of the known scam apps, Meta will push a message to you in the Facebook app:

A security notice from Meta

You may have logged into Facebook from a malicious app designed to steal your
Facebook account information.

To protect your information we recommend you secure your account immediately.

The site says that the iOS apps identified mostly appeared to be targeting business users, with names like Meta Business, FB Analytic, and so on.

Meta has provided the full list of apps to both Apple and Google, so that they can be removed from their respective app stores.

Apple of course argues that its app review process keeps users safe from scams, and this is why it shouldn’t be obliged by antitrust concerns to allow third-party app stores or sideloading of iOS apps.

This latest revelation could be said to provide ammunition to both sides of the debate. On the one hand, dozens of scam apps made it through app review despite the fact that (a) they were stealing credentials and (b) scarcely worked. On the other, there were far fewer of these apps in the App Store than in Google’s Play Store.