Facebook allows its authentication credentials to be stored in plain text within the Apple iOS version of its mobile app, allowing an attacker complete control over your Facebook account if he knows where to look.
Security researcher Gareth Wright noted the vulnerability and alerted Facebook. Wright wrote on his blog that he discovered the issue while exploring the application directories in his iPhone with a free tool and came across a Facebook access token in the Draw Something game on his phone.
The simple ‘hack’ allows a user to copy a plain text file off of the device and onto another one. This effectively gives another user access to your account, profile and all on that iOS device.
Facebook’s native apps for the two platforms not encrypting your login credentials, meaning they can be easily swiped over a USB connection, or more likely, via malicious apps. Facebook has responded that this issue only applies to compromised or jailbroken devices.
"My jaw dropped as over the next few minutes I watched posts appear on my wall, private messages sent, webpages liked and applications added," Wright wrote. Wright said that he harvested over 1,000 plists over the course of a week, although he copied no data.
As for the USB connection scenario, Facebook says there’s no way to fix this problem. Note that in this case it doesn’t matter if your device is jailbroken or not, because whoever is doing the deed has physical access to your phone or tablet.
Facebook said in a statement that the modifications made to the phone were responsible for exposing the data:
Facebook's iOS and Android applications are only intended for use with the manufacture provided operating system, and access tokens are only vulnerable if they have modified their mobile OS (i.e. jailbroken iOS or modded Android) or have granted a malicious actor access to the physical device. We develop and test our application on an unmodified version of mobile operating systems and rely on the native protections as a foundation for development, deployment and security, all of which is compromised on a jailbroken device. As Apple states, "unauthorized modification of iOS could allow hackers to steal personal information ... or introduce malware or viruses." To protect themselves we recommend all users abstain from modifying their mobile OS to prevent any application instability or security issues.
Wright called Facebook's statement "rubbish," adding that the vulnerability is present on both jailbroken and non-jailbroken phones.
About the author