Security researcher Gareth Wright discovered that many iOS and Android applications store Facebook access tokens, a sequence of characters that give access to an account, in a plain text file. This file can then be used by anyone to retrieve information from an account, and in the worst case spoof your Facebook identity.
Popping into the Facebook application directory I quickly discovered a whole bunch of cached images and the com.Facebook.plist. What was contained within was shocking.
Not an access token but full oAuth key and secret in plain text. Surely though, these are encrypted or salted with the device ID. Worryingly the expiry in the plist is set to 1 Jan 4001!
Quick export and call to my good friend and local blogger Scoopz and I sent over my plist for him to try out. After backing up his own plist and logging out of Facebook he copied mine over to his device and opened the Facebook app…
My jaw dropped as over the next few minutes I watched posts appear on my wall, private messages sent, webpages liked and applications added. Scoopz then opened Draw Something on his iPad which logged him straight into my account where he sent some pictures back to my friends. Even after restoring his own plist he still gets notifications for my games.
So anyone with access to your iOS or Android device’s file system could use this plist file containing a number of secure tokens to spoof your Facebook identity on a totally different device. Tools like iExplorer make it possible to access this information via a PC connected to an iOS device (assuming you have synced your iOS device to that computer before), irrespective of its jailbroken status.
(screenshot via TNW)
To avoid any such identity theft keep these points in mind:
- Connect your iOS device only to trusted computers, charging stations and docks. Gareth noted in his blog post that it’s possible to copy the file containing access tokens using a modified speaker dock.
- If your device is jailbroken and has OpenSSH installed, be sure to change your root password from the one that’s set by default (instructions here). Your device may otherwise be susceptible to such an attack via an SSH connection. Since this sort of attack depends on the attacker and your device being on the same Wi-Fi network, be wary of connecting to public Wi-Fi networks.
- And of course, make sure you safeguard your device, because if your device falls into the wrong hands, you have a lot more things to worry about other than your Facebook or Dropbox account.
Fortunately, there isn’t any evidence (yet) of such a method being used to gain unauthorized access into people’s account and we expect Facebook and Dropbox to roll out updates for their respective apps very soon to patch this security hole.
Till then, keep the above points in mind.