Facebook spent upwards of $100 million to acquire Israel-based facial recognition firm Face.com on Monday and now a security flaw in the company’s software has been revealed.

The flaw came in the form of Face.com’s mobile app KLIK which allows real-time face-tagging for Facebook pictures. According to researcher Ashkan Saltani the app would grant access to a users private authentication tokens for Facebook and Twitter accounts, allowing hackers to easily gain access to personal photos and other information.

On his personal blog Saltani revealed the flaw after he reported it to Face.com and the issue was fixed.

TECHNICAL DETAILS: Face.com was storing Facebook/Twitter OAUTH tokens on their servers insecurely, allowing them to be queried for *any user* without restriction. Specifically, once a user signed up for KLIK, the app would store their Facebook tokens on Face.com’s server for ‘safe keeping’. Subsequent calls to returns the Facebook “service_tokens” for any user, allowing the attacker to access photos and post as that user. If the KLIK user has linked their Twitter account to KLIK App (say, to ‘tweet’ their photos à la Instagram), their ‘service_secret’ and ‘service_token’ was also returned.

The flaw highlights the exact reason users should be wary when it comes to granting Twitter and Facebook access to third-party apps which in turn can gather certain permissions.

The security issue was so easy to spot that Soltani says he spotted it out of “the corner of my eye.”

Since the flaw was fixed before it was announced users accounts should be safe.

Face.com Security Flaw Discovered After Facebook Acquisition is a post from: The Inquisitr

HTC on Tuesday confirmed that a security vulnerability exists on their Smartphones that allows any app requesting internet access to look at a users account information, GPS location, system logs and other potentially private data.

The manufacturer assured customers that while their own software won’t harm user data they have warned that third party malware could exploit the security flaw and cause information to be stolen.

HTC programmers are already building a patch for the flaw and they promise that an over-the-air patch update will arrive as soon as possible.

Here’s the official security statement from HTC:

HTC takes claims related to the security of our products very seriously. In our ongoing investigation into this recent claim, we have concluded that while this HTC software itself does no harm to customers’ data, there is a vulnerability that could potentially be exploited by a malicious third-party application. A third party malware app exploiting this or any other vulnerability would potentially be acting in violation of civil and criminal laws. So far, we have not learned of any customers being affected in this way and would like to prevent it by making sure all customers are aware of this potential vulnerability.

HTC is working very diligently to quickly release a security update that will resolve the issue on affected devices. Following a short testing period by our carrier partners, the patch will be sent over-the-air to customers, who will be notified to download and install it. We urge all users to install the update promptly. During this time, as always, we strongly urge customers to use caution when downloading, using, installing and updating applications from untrusted sources.

Customers are urged to avoid non-trusted apps until the patch is made available and installed.

HTC Confirms Security Flaw, Says Fix Is On The Way is a post from: The Inquisitr