Facebook security flaw?

[randallking]

I received a Facebook message notification (text displayed on my iPhone lock screen) ever while signed out of Facebook completely on my iPhone. This seems like a major security hole to me. What if I had sold the phone to someone else? Are they going to get my Facebook messages now?

Here's what happened:

1. Signed out of Facebook on my iPhone in iOS 8 through Settings.
2. Signed out of the Facebook app.
3. Messenger didn't allow me to sign out, so I deleted the app completely. I then re-downloaded Messenger from the App Store.
4. Signed out of Pages (Facebook's app for managing pages).
5. The main Facebook app still showed my email address in the sign-in field with no apparent way to delete it, so I deleted that app and re-downloaded it from the App Store.
   
6. At this point, I was completely signed out of all Facebook-related apps on my iPhone. I subsequently received a message from a friend, and I got a notification on my iPhone lock screen which included the text of the message. Because I was signed out of every Facebook app on my iPhone, nothing from my account should be accessible on that phone without first signing in again. Again, what if I had given away the device or sold it? I realize I should wipe it (and would do so), but it seems like this would still happen. There's no reason to think it wouldn't.

I don't buy the explanation that I should go into my Facebook account and kill all my sessions from there. I shouldn't have to do that if I signed out on my phone. No average user would think to do that. This is a problem Facebook needs to address, or have I missed something?

 

[Gav2k]

Were you signed in under settings > Facebook?

 

[randallking]

Were you signed in under settings > Facebook?

No. See #1 in my list.

 

[Gav2k]

I meant double check as sometimes it's quirky.

 

[randallking]

I meant double check as sometimes it's quirky.

I did that already. Thanks.

 

[GreyOS]

I'd guess it's a Facebook problem.

I don't know the ins and outs but I think when you agree to notifications for an app, the app publishers will get a device token that they can use when they want to notify you. I'm guessing Facebook will add this information to your Facebook account. Then when your account gets a message, they can send a message to Apple's push notification service with your device token, and Apple will use that token to forward it to your device.

When you sign out, Facebook should remove the device token from your account. Maybe they do do that, but not as quickly as you tested for. Ideally they should do it immediately as part of the signing out process though.

I had a similar problem with Skype a while ago. A while back they started sending notifications even after you had exited the app, so I had to start logging out before exiting. But sometimes I would still get a few notifications for a few minutes after this. I don't think it happens any more, but I'm assuming that's because Skype tidied up their service.


edit: as for it being a MAJOR security issue with regards to selling your device, I am almost certain that Apple will be generating new device tokens for a new setup on that device. So I don't think it will continue to send messages to it. You should look up how APNS works on Apple's site though.

edit2: if you want to give someone your phone without doing a new setup and you're concerned about this, I am almost certain that flipping off Notifications for Facebook (and associated apps) and then turning them back on after they've signed in will fix this. Please test yourself though.

 

[C DM]

Was this a Facebook or a Facebook Messenger notification?

If you opened the Facebook app or the Messenger app after getting that notification, did it act as if you were already logged in or anything like that, or each one showed completely new state asking you to log in?