Facebook and Dropbox Apps Have Major Security Hole

Posted April 6, 2012 at 2:56pm by iClarified | Please help us and submit a translation by clicking here | 13833 views

A security hole in the Facebook and Dropbox apps makes it possible for someone to obtain access to your account, reports Gareth Wright and TNW. The applications are storing your authentication key and secret in plain text making it easy for someone with access to your device to copy the authentication information.

Popping into the Facebook application directory I quickly discovered a whole bunch of cached images and the com.Facebook.plist. What was contained within was shocking. Not an access token but full oAuth key and secret in plain text. Surely though, these are encrypted or salted with the device ID. Worryingly the expiry in the plist is set to 1 Jan 4001!

Quick export and call to my good friend and local blogger Scoopz and I sent over my plist for him to try out. After backing up his own plist and logging out of Facebook he copied mine over to his device and opened the Facebook app…

My jaw dropped as over the next few minutes I watched posts appear on my wall, private messages sent, webpages liked and applications added. Scoopz then opened Draw Something on his iPad which logged him straight into my account where he sent some pictures back to my friends.


After being contacted by TNW about the security hole, Facebook tried to blame it on jailbreaking.

Facebook's iOS and Android applications are only intended for use with the manufacture provided operating system, and access tokens are only vulnerable if they have modified their mobile OS (i.e. jailbroken iOS or modded Android) or have granted a malicious actor access to the physical device. We develop and test our application on an unmodified version of mobile operating systems and rely on the native protections as a foundation for development, deployment and security, all of which is compromised on a jailbroken device. As Apple states, "unauthorized modification of iOS could allow hackers to steal personal information … or introduce malware or viruses." To protect themselves we recommend all users abstain from modifying their mobile OS to prevent any application instability or security issues.

Their statement that attempts to pass the buck to jailbreaking is completely untrue as TNW was able to verify. "Using a tool like iExplore, which is what Wright used to perform his white label hack, does not require a jailbreak."

The site also managed to find the same plist vulnerability in the Dropbox app. Currently the only way to protect yourself from this exploit is to make sure no one else has access to your device. This means staying away from public terminals where a script could be used to capture the plists from your device.

Read More [via TNW]


Share
Add Comment
lissaneor - September 24, 2013 at 9:18am
These kind of practices are really damaging for users. Now a day when Numbers of identity theft protection apps working to provide maximum security a app with security loop whole can be so much damaging.
Your-Moma - April 6, 2012 at 3:59pm
Typical FB ... It's bad enough that the application is so bad now it's also insecure :@ fuckbook why won't you just quit the business and rot In some corner
Ass lick - April 6, 2012 at 3:28pm
What a bunch of fucking pricks. You can do this without being jailbroken if you use a file explorer such as iFunBox. Cunts.
Follow iClarified
PayPal App For iPhone Gets Support for Gift Cards, Security Key, and More
iPhone 6 Boiled in Coca-Cola [Video]
Check out this video of an iPhone 6 being boi...
Official iClarified App Gets New Login/Register Views, Profile Pics in Comments, More [Download]
Chromecast App Gets Updated With Material Design
Google has updated its Chromecast app with it...
Apple TV Remote Interaction Concept [Video]
Radu Dutzan, a product designer at Onda, has ...