November 23, 2024
Facebook and Dropbox Apps Have Major Security Hole

Facebook and Dropbox Apps Have Major Security Hole

Posted April 6, 2012 at 2:56pm by iClarified
A security hole in the Facebook and Dropbox apps makes it possible for someone to obtain access to your account, reports Gareth Wright and TNW. The applications are storing your authentication key and secret in plain text making it easy for someone with access to your device to copy the authentication information.

Popping into the Facebook application directory I quickly discovered a whole bunch of cached images and the com.Facebook.plist. What was contained within was shocking. Not an access token but full oAuth key and secret in plain text. Surely though, these are encrypted or salted with the device ID. Worryingly the expiry in the plist is set to 1 Jan 4001!

Quick export and call to my good friend and local blogger Scoopz and I sent over my plist for him to try out. After backing up his own plist and logging out of Facebook he copied mine over to his device and opened the Facebook app…


My jaw dropped as over the next few minutes I watched posts appear on my wall, private messages sent, webpages liked and applications added. Scoopz then opened Draw Something on his iPad which logged him straight into my account where he sent some pictures back to my friends.


After being contacted by TNW about the security hole, Facebook tried to blame it on jailbreaking.

Facebook's iOS and Android applications are only intended for use with the manufacture provided operating system, and access tokens are only vulnerable if they have modified their mobile OS (i.e. jailbroken iOS or modded Android) or have granted a malicious actor access to the physical device. We develop and test our application on an unmodified version of mobile operating systems and rely on the native protections as a foundation for development, deployment and security, all of which is compromised on a jailbroken device. As Apple states, "unauthorized modification of iOS could allow hackers to steal personal information … or introduce malware or viruses." To protect themselves we recommend all users abstain from modifying their mobile OS to prevent any application instability or security issues.

Their statement that attempts to pass the buck to jailbreaking is completely untrue as TNW was able to verify. "Using a tool like iExplore, which is what Wright used to perform his white label hack, does not require a jailbreak."


The site also managed to find the same plist vulnerability in the Dropbox app. Currently the only way to protect yourself from this exploit is to make sure no one else has access to your device. This means staying away from public terminals where a script could be used to capture the plists from your device.

Read More [via TNW]


Facebook and Dropbox Apps Have Major Security Hole
Add Comment
Would you like to be notified when someone replies or adds a new comment?
Yes (All Threads)
Yes (This Thread Only)
No
iClarified Icon
Notifications
Would you like to be notified when we post a new Apple news article or tutorial?
Yes
No
Comments
You must login or register to add a comment...
Recent. Read the latest Apple News.
RECENT
Tutorials. Help is here.
TUTORIALS
Where to Download macOS Sequoia
Where to Download macOS Ventura
AppleTV Firmware Download Locations
Where To Download iPad Firmware Files From
Where To Download iPhone Firmware Files From
Deals. Save on Apple devices and accessories.
DEALS