Popping into the Facebook application directory I quickly discovered a whole bunch of cached images and the com.Facebook.plist. What was contained within was shocking. Not an access token but full oAuth key and secret in plain text. Surely though, these are encrypted or salted with the device ID. Worryingly the expiry in the plist is set to 1 Jan 4001!
Quick export and call to my good friend and local blogger Scoopz and I sent over my plist for him to try out. After backing up his own plist and logging out of Facebook he copied mine over to his device and opened the Facebook app
My jaw dropped as over the next few minutes I watched posts appear on my wall, private messages sent, webpages liked and applications added. Scoopz then opened Draw Something on his iPad which logged him straight into my account where he sent some pictures back to my friends.
After being contacted by TNW about the security hole, Facebook tried to blame it on jailbreaking.
Facebook's iOS and Android applications are only intended for use with the manufacture provided operating system, and access tokens are only vulnerable if they have modified their mobile OS (i.e. jailbroken iOS or modded Android) or have granted a malicious actor access to the physical device. We develop and test our application on an unmodified version of mobile operating systems and rely on the native protections as a foundation for development, deployment and security, all of which is compromised on a jailbroken device. As Apple states, "unauthorized modification of iOS could allow hackers to steal personal information or introduce malware or viruses." To protect themselves we recommend all users abstain from modifying their mobile OS to prevent any application instability or security issues.
Their statement that attempts to pass the buck to jailbreaking is completely untrue as TNW was able to verify. "Using a tool like iExplore, which is what Wright used to perform his white label hack, does not require a jailbreak."
The site also managed to find the same plist vulnerability in the Dropbox app. Currently the only way to protect yourself from this exploit is to make sure no one else has access to your device. This means staying away from public terminals where a script could be used to capture the plists from your device.
Read More [via TNW]