Facebook Login iOS SDK Authentication Token Has No Signature

[paul-livefront]

Checklist before submitting a bug report

• [X] I've updated to the latest released version of the SDK
• [X] I've searched for existing GitHub issues
• [X] I've looked for existing answers on Stack Overflow, the Facebook Developer Community Forum and the Facebook Developers Group
• [X] I've read the Code of Conduct
• [X] This issue is not security related and can safely be disclosed publicly on GitHub

Xcode version

15.3

Facebook iOS SDK version

17.0.2

Dependency Manager

SPM

SDK Framework

Login

Goals

We're attempting to migrate to the Limited Login flow in the latest versions of the iOS SDK. We get back an AuthenticationToken (JWT), but we're unable to validate it because the signature portion of the JWT is always missing/empty.

Expected results

The JWT contained in AuthenticationToken.current?.tokenString after login should have a propertly formatted header, payload, and signature.

Actual results

The JWT contains a header and payload, but the signature is empty.

Steps to reproduce

Login with limited tracking configured. After the successful login attempt. AuthenticationToken.current?.tokenString has an incomplete JWT value.

Code samples & details

guard let configuration = LoginConfiguration(
    permissions: [.publicProfile, .email],
    tracking: .limited
) else {
    return
}

logIn(viewController: viewController, configuration: configuration) { result in
    switch result {
    case .success:
        // We should now have a valid AuthenticationToken.current?.tokenString.
    default:
        // handle errors
    }
}

[811414114]

M A Hannan is inviting you to a scheduled Zoom meeting.

Topic: [facebook/facebook-ios-sdk] Facebook Login iOS SDK Authentication Token Has No Signature (Issue #2442)

Join Zoom Meeting https://us05web.zoom.us/j/85245876546?pwd=X5W5awHdTRq3nNv7L2lNZkZUe4bmbO.1

Meeting ID: 852 4587 6546 Passcode: 580916

[briangithex]

By default, any attempt to print or otherwise display the tokenstring is truncated by XCode. Often, this results in receiving 1.5 to 2.5 of the 3 segments during testing/development.

[ricsantos]

Any update on this? Is is bad practice to just read the Profile object and send those properties straight to the server to create/login the user?

if let profile = Profile.current {
    print("FB Profile: \(profile.description)")
    print("FB Profile userID: \(profile.userID)")
    print("FB Profile first: \(profile.firstName)")
    print("FB Profile last: \(profile.lastName)")
    print("FB Profile email: \(profile.email)")
}

[briangithex]

Any update on this?

Did you verify it wasn't the truncation issue I mention above? If AuthenticationToken.current?.tokenString is missing the signature but otherwise looks like a valid token, that probably means you're reading it in a way that causes truncation (XCode does this in places you wouldn't expect).

Is is bad practice to just read the Profile object and send those properties straight to the server to create/login the user?

Yes, this is very bad practice. With this approach, it would be possible to maliciously pose as another user. Further, a compromised user account's login will not properly "expire" after it is recovered, since this data is replayable due to having neither a timestamp nor a signature (nor a nonce). The client-side profile information should be treated the same as any other user-supplied information: Useful in places where you'd trust the user or where the attacker is attacking themselves (e.g., "Welcome back, [First] [Last]" messages).

[811414114]

As part of our regular updates on notable threat disruption efforts, we’re sharing our findings into coordinated inauthentic behavior (CIB) targeting Moldova that we disrupted in early Q3 of this year, including threat indicators linked to this activity to contribute to the security community’s efforts to detect and counter malicious activity across the internet. As a reminder, we view CIB as coordinated efforts to manipulate public debate for a strategic goal, in which fake accounts are central to the operation. In each case, people coordinate with one another and use fake accounts to mislead others about who they are and what they are doing. When we investigate and remove these operations, we focus on behavior, not content — no matter who’s behind them, what they post or whether they’re foreign or domestic. Here is what we found: We removed seven Facebook accounts, 23 Pages, one Group and 20 accounts on Instagram for violating our policy against coordinated inauthentic behavior. This network originated primarily in the Transnistria region of Moldova, and targeted Russian-speaking audiences in Moldova. We removed this campaign before they were able to build authentic audiences on our apps. This operation centered around about a dozen fictitious, Russian-language news brands posing as independent entities with presence on multiple internet services, including ours, Telegram, OK (Odnoklassniki), and TikTok. It included brands like Tresh Kich, Moldovan Mole, Insider Moldova, Gagauzia on Air. The individuals behind this activity used fake accounts – some of which were detected and disabled prior to our investigation – to manage Pages posing as independent news entities, post content, and to drive people to this operation’s off-platform channels, primarily on Telegram. Some of these accounts went through significant name changes over time and used profile photos likely created using generative adversarial networks (GAN). They posted original content, including cartoons, about news and geopolitical events concerning Moldova. It included criticism of President Sandu, pro-EU politicians, and close ties between Moldova and Romania. They also posted supportive commentary about pro-Russia parties in Moldova, including a small fraction referencing exiled oligarch Shor and his party. The operators also posted about offering money and giveaways, including food and concert tickets, if people in Moldova would follow them on social media or make graffiti with the campaign’s brand names. This campaign frequently posted summaries of articles from a legitimate news site point[.]md, but with an apparent pro-Russia and anti-EU slant added by the operators. They also amplified a Telegram channel of the host of a satirical political show in Moldova critical of pro-European candidates. One of this operation’s branded Telegram channels was promoted by a Page we removed last quarter as part of a Russia-origin CIB network (case #3 in the Q2 2024 report). We found this network as part of our internal investigation into suspected coordinated inauthentic behavior in the region. Although the people behind this activity attempted to conceal their identity and coordination, our investigation found links to individuals from Russia and Moldova operating from the Transnistria region, including those behind a fake engagement service offering fake likes and followers on Facebook, Instagram, YouTube, OK, VKontakte, X and the petition platform Change.org. We also found some limited links between this CIB activity and a network from the Luhansk region in Ukraine that we removed in December 2020. Presence on Facebook and Instagram: 7 Facebook accounts, 23 Pages, 1 Group and 20 Instagram accounts. Followers: About 4,200 accounts followed one or more of these Pages, no accounts joined this Group, and around 335,000 accounts followed one or more of these Instagram accounts. The vast majority of these followers were outside of Moldova, which suggests the use of inauthentic engagement tactics to make these efforts appear more popular than they actually were. Ad spend: About $4,000 in spending for ads, paid for mostly in US dollars. Threat indicators This section details unique threat indicators that we assess to be associated with the malicious network we disrupted. It is not meant to provide a full cross-internet, historic view into this operation. It’s important to note that, in our assessment, the mere sharing of these operations’ links or engaging with them by online users would be insufficient to attribute accounts to a given campaign without corroborating evidence. To help the broader research community to study and protect people across different internet services, we’ve collated and organized these indicators according to the Online Operations Kill Chain framework, which we use to analyze many sorts of malicious online operations, identify the earliest opportunities to disrupt them, and share information across investigative teams. The kill chain describes the sequence of steps that threat actors go through to establish a presence across the internet, disguise their operations, engage with potential audiences, and respond to takedowns. As part of our next threat reporting cycle, we’ll be adding these threat indicators to our public repository on GitHub. Phase: Acquiring assets Tactic: Acquiring Facebook accounts, Pages, Groups, Instagram accounts Threat indicators: 7 Facebook accounts, 23 Pages, 1 Group and 20 Instagram accounts. Tactic: Acquiring TikTok accounts Threat indicators: @._kich6 @. @.***_acum Tactic: Acquiring Telegram channels Threat indicators: t[.]me/insider_md t[.]me/trech_kich t[.]me/onlinemd24 t[.]me/md_krot t[.]me/fluieras t[.]me/kishinev24 t[.]me/chsreal t[.]me/moldova_acum t[.]me/gagauzia_v_efire t[.]me/beltsy24 t[.]me/trech_kich_chat t[.]me/trech_kich_bot Tactic: Acquiring other social media assets Threat indicators: ok[.]ru/group/70000005349948 Phase: Disguising assets Tactic: Creating fictitious news outlets Threat indicators: Insider Moldova Треш Киш – Trech Kich Молдова онлайн – Moldova Online Молдавский Крот – Moldovan Mole Флуераш – Fluieras Кишинев – Kishinev Реальный Кишинев – Real Chisinau Молдова сейчас – Moldova Acum Гагаузия в эфире – Gagauzia on Air Бельцы 24 – Beltsy 24 Tactic: Adopting visual disguise Threat indicators: Using profile photos likely generated using artificial intelligence such as Generative Adversarial Networks (GAN) Phase: Evading detection Tactic: Camouflaging content Threat indicators: Frequently posting summaries of articles from a legitimate news site point[.]md, but with an apparent pro-Russia and anti-EU slant added by the operators. Phase: Targeted engagement Tactic: Running Ads Threat indicators: About $4,000 in spending for ads on Facebook, paid for mostly in US dollars Tactic: Engaging with users outside the operation Threat indicators: About 4,200 accounts followed one or more of these Pages; About 335,000 accounts followed one or more of these Instagram accounts. However, the vast majority of these followers were outside of Moldova, suggesting the use of inauthentic engagement tactics to make these efforts appear more popular than they actually were. Tactic: Engaging with specific audience Threat indicators: Targeting Russian-speaking audiences in Moldova Tactic: Directing online traffic Threat indicators: Using fake accounts to drive people to this operation’s off-platform channels, including Telegram channels Tactic: Posting about individuals or institutions Threat indicators: Posting original content that included criticism of President Sandu, pro-EU politicians, and close ties between Moldova and Romania. Posting supportive commentary about pro-Russia parties in Moldova, including a small fraction referencing exiled oligarch Shor and his party.   Read at https://about.fb.com/news/2024/10/taking-action-against-coordinated-inauthentic-behavior-in-moldova/

Hannan