Security researcher Gareth Wright made an unsettling discovery earlier this week, finding that Facebook’s iOS app has a security hold that could allow others to access your login information. The information was found in a .plist file related to the app that could be easily obtained by anyone with access to your device.
Wright discovered the issue while using a tool called iExplorer to browse files on his device, finding a plain text Facebook access token in the Draw Something app, which uses Facebook to connect players to each other in the game.
After testing the access token (which again, was in plain text with no encryption or protection), Wright found that it could be used to retrieve any information in the referenced Facebook account, such as personal information, and details about Facebook friends.
Having found such a key within Draw Something, he decided to poke around in the Facebook iOS app as well, where he found a full unencrypted authorization key to his Facebook account with no expiration date. The implication of this are explained on Wright’s blog:
Quick export and call to my good friend and local blogger Scoopz and I sent over my plist for him to try out. After backing up his own plist and logging out of Facebook he copied mine over to his device and opened the Facebook app…
My jaw dropped as over the next few minutes I watched posts appear on my wall, private messages sent, webpages liked and applications added. Scoopz then opened Draw Something on his iPad which logged him straight into my account where he sent some pictures back to my friends. Even after restoring his own plist he still gets notifications for my games.
Fortunately, Wright did the responsible thing, and contacted Facebook about the issue rather than using it for his own purposes. Facebook initially tried to claim that the issue only existed on jailbroken devices, although it has since been discovered (as reported by TheNextWeb) that it actually works on all devices, regardless of jailbreak, and that Dropbox for iOS has a similar issue, as well as the Android versions of the Facebook and Dropbox apps.
As Wright points out, an ill-intentioned person doesn’t even necessarily need to have access to your device to obtain this information:
After contacting Facebook I took the liberty of knocking together a few proof of concepts.
- A hidden application which runs on shared PC’s Any device plugged in to charge has the Plist copied
- A recompile of an open source iphone explorer like program with the added code
- A saved game editing tool with the added code
- A credit card sized hardware solution that takes all of two seconds to copy the plist should you have physical access to an iDevice
- A modified speaker dock
Over the course of a week over 1000 vulnerable plists were located and counted, though I hasten to add at no point was any data copied. (To clarify a 1000+ plists with open information re: facebook tokens or auth keys inc. 3rd party apps)
While Facebook and Dropbox are reportedly working on fixing the issue, other apps may have the same problem, raising concerns about the safety of charging your iOS device on a shared PC (such as at a public library), using public charging stations (such as those in bus stations), or pluggin your device into any docking speakers or accessories that you don’t personally own.
We’ll keep you updated on the status of this issue. In the meantime, you may want to exercise extra caution.