Facebook and Dropbox Apps Have Major Security Hole

Posted April 6, 2012 at 2:56pm by iClarified | Please help us and submit a translation by clicking here | 12816 views

A security hole in the Facebook and Dropbox apps makes it possible for someone to obtain access to your account, reports Gareth Wright and TNW. The applications are storing your authentication key and secret in plain text making it easy for someone with access to your device to copy the authentication information.

Popping into the Facebook application directory I quickly discovered a whole bunch of cached images and the com.Facebook.plist. What was contained within was shocking. Not an access token but full oAuth key and secret in plain text. Surely though, these are encrypted or salted with the device ID. Worryingly the expiry in the plist is set to 1 Jan 4001!

Quick export and call to my good friend and local blogger Scoopz and I sent over my plist for him to try out. After backing up his own plist and logging out of Facebook he copied mine over to his device and opened the Facebook app…

My jaw dropped as over the next few minutes I watched posts appear on my wall, private messages sent, webpages liked and applications added. Scoopz then opened Draw Something on his iPad which logged him straight into my account where he sent some pictures back to my friends.


After being contacted by TNW about the security hole, Facebook tried to blame it on jailbreaking.

Facebook's iOS and Android applications are only intended for use with the manufacture provided operating system, and access tokens are only vulnerable if they have modified their mobile OS (i.e. jailbroken iOS or modded Android) or have granted a malicious actor access to the physical device. We develop and test our application on an unmodified version of mobile operating systems and rely on the native protections as a foundation for development, deployment and security, all of which is compromised on a jailbroken device. As Apple states, "unauthorized modification of iOS could allow hackers to steal personal information … or introduce malware or viruses." To protect themselves we recommend all users abstain from modifying their mobile OS to prevent any application instability or security issues.

Their statement that attempts to pass the buck to jailbreaking is completely untrue as TNW was able to verify. "Using a tool like iExplore, which is what Wright used to perform his white label hack, does not require a jailbreak."

The site also managed to find the same plist vulnerability in the Dropbox app. Currently the only way to protect yourself from this exploit is to make sure no one else has access to your device. This means staying away from public terminals where a script could be used to capture the plists from your device.

Read More [via TNW]


Share
Add Comment
lissaneor - September 24, 2013 at 9:18am
These kind of practices are really damaging for users. Now a day when Numbers of identity theft protection apps working to provide maximum security a app with security loop whole can be so much damaging.
Your-Moma - April 6, 2012 at 3:59pm
Typical FB ... It's bad enough that the application is so bad now it's also insecure :@ fuckbook why won't you just quit the business and rot In some corner
Ass lick - April 6, 2012 at 3:28pm
What a bunch of fucking pricks. You can do this without being jailbroken if you use a file explorer such as iFunBox. Cunts.
Follow iClarified
WhatsApp Messenger Update Reduces Frequency of 'Turn On Notifications' Alert
PayPal Says Apple Pay is as Safe as Your Selfies in iCloud [Image]
PayPal has gone on the offensive attacking Ap...
MapQuest Gets Alternate Routes, Improved Traffic Coverage, iOS 8 Support
The MapQuest app has been updated with altern...
Google Fiber App Now Lets You Create Custom Guides for Your Favorite TV Channels
Finalized DisplayPort 1.3 Standard Brings Support for 5K Monitors
The Video Electronics Standards Association (...