Earlier today, security researcher Gareth Wright revealed the discovery of a security hole in the Facebook app for mobile devices running Android and iOS. The simple ‘hack’ allows a user to copy a plain text file off of the device and onto another one. This effectively gives another user access to your account, profile and all on that iOS device.
Now, The Next Web has discovered that popular file-syncing app Dropbox also exhibits the vulnerability.
As we noted earlier, the vulnerability lies with the app itself, as it stores this information in plain text, rather than encrypting or packaging it so that it cannot be accessed.
Facebook has responded, sending out the following statement:
Facebook’s iOS and Android applications are only intended for use with the manufacturer provided operating system, and access tokens are only vulnerable if they have modified their mobile OS (i.e. jailbroken iOS or modded Android) or have granted a malicious actor access to the physical device.
We develop and test our application on an unmodified version of mobile operating systems and rely on the native protections as a foundation for development, deployment and security, all of which is compromised on a jailbroken device.
At first glance, the statement appears to indicate that you’re only vulnerable to this kind of profile theft if you jailbreak your device. We have confirmed that this is completely untrue. Your Facebook app on iOS is absolutely vulnerable because using a tool like iExplore, which is what Wright used to perform his white label hack, does not require a jailbreak.
Unfortunately, some articles have been written that emphasize the jailbreaking aspect of this, when in fact it only makes it slightly more vulnerable and does nothing to change the fact that non-jailbroken phones are also vulnerable.
As a matter of fact, we have duplicated the Facebook hack here at TNW labs (using our own devices) and it works perfectly well without a jailbreak.
If you read the Facebook statement carefully, however, it does cover its bases when it states that you are vulnerable if you have ‘granted a malicious actor access to the physical device.’ That is absolutely true, your device would need to be accessed physically somehow, but it doesn’t mean that it would need to be stolen or that another person would even need to touch it.
If a program was running on a public computer, or if someone had modified a public charging station to siphon off the plain-text .plist file, they could theoretically gain access to that information, whether you’re jailbroken or not.
Your phone doesn’t need to be stolen if a malicious app was installed on a public system. Wright even made such an app as a proof-of-concept, gathering over 1,000 .plist files in a week before contacting Facebook about the problem.
The long and short of it is that regular, non-jailbroken devices are vulnerable to this because it is a flaw in the way that Facebook stores that .plist file containing your information. Facebook is obviously aware of the issue and should be issuing an update to fix it soon.
The Next Web was tipped that another popular app, Dropbox, also exhibits the same .plist usage error. We checked and the information was correct, allowing us to copy a profile from one un-jailbroken device to another using iExplore. This means that Dropbox, like Facebook, is vulnerable to any malicious software that could be written to collect these .plist files.
We copied the .plist from one device with the app installed and logged in, over to another which had a fresh installation of Dropbox on it. The profile copied and it worked seamlessly, as if we had logged on ourselves, which we had not.
We have reached out to Dropbox to see if it has a statement regarding the use of the plain-text files to store user profile information.
Another fun fact? This can be done to your device even if it has a passcode. The entire file system is not encrypted when you use a passcode, only some information, like emails, receive this protection.
At this point, it’s clear that the handling of these files needs to be checked by every developer who’s app stores profile information. If Facebook and Dropbox are doing it, then other apps are very likely doing it as well.
If you’re a user of either of these apps, you shouldn’t panic. Stay away from public charging stations and computers until the apps have received updates to fix the problem, but otherwise you should be just fine.
There is no evidence that anyone is using this method to collect information as of yet, but, as Wright told Zdnet, “Facebook are aware and working on closing the hole, but unless app developers follow suit and start encrypting the 60 day access token Facebook supplies, it’s only a matter of time before someone starts using the info for ill purpose…if they aren’t already.”