Security hole in Facebook iOS app doesn't require jailbreak

by Carol~ Moderator - 4/6/12 1:01 PM

In Reply to: NEWS - April 06, 2012 by Carol~ Moderator

"Security hole in Facebook iOS app doesn't require jailbreak or theft, and Dropbox has it too [Updated]"

Earlier today, security researcher Gareth Wright revealed the discovery of a security hole in the Facebook app for mobile devices running iOS and possibly Android. The simple 'hack' allows a user to copy a plain text file off of the device and onto another one. This effectively gives another user access to your account, profile and all on that iOS device.

Now, The Next Web has discovered that popular file-syncing app Dropbox also exhibits the vulnerability. Updated with statement from Dropbox below.

As we noted earlier, the vulnerability lies with the app itself, as it stores this information in plain text, rather than encrypting or packaging it so that it cannot be accessed.

Facebook has responded, sending out the following statement:

'Facebook's iOS and Android applications are only intended for use with the manufacturer provided operating system, and access tokens are only vulnerable if they have modified their mobile OS (i.e. jailbroken iOS or modded Android) or have granted a malicious actor access to the physical device.

We develop and test our application on an unmodified version of mobile operating systems and rely on the native protections as a foundation for development, deployment and security, all of which is compromised on a jailbroken device.

At first glance, the statement appears to indicate that you're only vulnerable to this kind of profile theft if you jailbreak your device. We have confirmed that this is completely untrue. Your Facebook app on iOS is absolutely vulnerable because using a tool like iExplore, which is what Wright used to perform his white label hack, does not require a jailbreak.

Continued :

Facebook logins easily slurped from iOS, Android kit
Facebook logins aren't being properly protected on iPhones, iPads and Android devices