Security Hole Discovered in Facebook And Dropbox iOS Apps

Security researcher Gareth Wright discovered that many iOS and Android applications store Facebook access tokens, a sequence of characters that give access to an account, in a plain text file. This file can then be used by anyone to retrieve information from an account, and in the worst case spoof your Facebook identity.

Gareth writes:

Popping into the Facebook application directory I quickly discovered a whole bunch of cached images and the com.Facebook.plist. What was contained within was shocking.

Not an access token but full oAuth key and secret in plain text. Surely though, these are encrypted or salted with the device ID. Worryingly the expiry in the plist is set to 1 Jan 4001!

Quick export and call to my good friend and local blogger Scoopz and I sent over my plist for him to try out. After backing up his own plist and logging out of Facebook he copied mine over to his device and opened the Facebook app…

My jaw dropped as over the next few minutes I watched posts appear on my wall, private messages sent, webpages liked and applications added. Scoopz then opened Draw Something on his iPad which logged him straight into my account where he sent some pictures back to my friends. Even after restoring his own plist he still gets notifications for my games.

So anyone with access to your iOS or Android device’s file system could use this plist file containing a number of secure tokens to spoof your Facebook identity on a totally different device. Tools like iExplorer make it possible to access this information via a PC connected to an iOS device (assuming you have synced your iOS device to that computer before), irrespective of its jailbroken status.

Dropbox's plist file which stores the access token

(screenshot via TNW)

A similar vulnerability was discovered in Dropbox’s iOS app.

To avoid any such identity theft keep these points in mind:

  • Connect your iOS device only to trusted computers, charging stations and docks. Gareth noted in his blog post that it’s possible to copy the file containing access tokens using a modified speaker dock.
  • If your device is jailbroken and has OpenSSH installed, be sure to change your root password from the one that’s set by default (instructions here). Your device may otherwise be susceptible to such an attack via an SSH connection. Since this sort of attack depends on the attacker and your device being on the same Wi-Fi network, be wary of connecting to public Wi-Fi networks.
  • And of course, make sure you safeguard your device, because if your device falls into the wrong hands, you have a lot more things to worry about other than your Facebook or Dropbox account.

Fortunately, there isn’t any evidence (yet) of such a method being used to gain unauthorized access into people’s account and we expect Facebook and Dropbox to roll out updates for their respective apps very soon to patch this security hole.

Till then, keep the above points in mind.

  • Sghdfdhh

    If your iDevice has an SSH server on the default port with the default password (“alpine”), facebook should be the least of your concerns. Anyone on the same wifi as you can enjoy full administrator access to your phone, and help themselves to all your personal data (theoretically even data in the keyvault), and trojan any binary on your system that they feel like. They can install a keylogger to capture any password you use on the device. They can use your device to penetrate any VPN or private wifi you have access to.

    There have been worms in the wild that spread between jailbroken iPhones with the alpine password.

    If you don’t know what your ssh password is, or don’t know what ssh is, open Cydia *now*. Manage–>Packages–>OpenSSH. If it’s there, and you don’t know the password isn’t the default, uninstall it.

  • HumanCentiPad

    Well said. alpine is always the default password. It should be changed or SSH should be removed with the swiftness.

  • Wiilt

    Im sooooooo abusing this.

    • DG

      8 ]

  • http://www.motorbeam.com/ fas

    LOL, someone keeps checking the code all the time, really epic.

  • Ryecell

    What a load of what ifs

  • Ryecell

    What a load of what ifs mate

  • Asbuster

    “… there isn’t any evidence (yet) of such a method being used to gain unauthorized access…” YEAH, UNTIL SOME FOOL PUBLISHED THIS ARTICLE!!