News has recently surfaced over an Android and iOS security hole, but that story has been mixed up as to where the vulnerability exists. Siting problems with Facebook’s mobile apps, a developer recently found that Facebook had effectively left a door open to your private data. In other words, iOS and Android have nothing to do with it.
*Update: We received an word from Facebook on the issue, which we’ve inserted below:
Facebook’s iOS and Android applications are only intended for use with the manufacture provided operating system, and access tokens are only vulnerable if they have modified their mobile OS (i.e. jailbroken iOS or modded Android) or have granted a malicious actor access to the physical device. We develop and test our application on an unmodified version of mobile operating systems and rely on the native protections as a foundation for development, deployment and security, all of which is compromised on a jailbroken device. As Apple states, “unauthorized modification of iOS could allow hackers to steal personal information … or introduce malware or viruses.” To protect themselves we recommend all users abstain from modifying their mobile OS to prevent any application instability or security issues.
In other words, this vulnerability only applies to jailbroken and modded devices, OR any regular device if someone has physical access to your phone OR connects it to a public terminal with malicious software installed.
According to Gareth Wright, who was looking into what Facebook’s app stored, opening the Facebook application directory and led him to discover a “whole bunch of cached images and the com.Facebook.plist.” There Wright found a “full oAuth key and secret in plain text.”
This information, when copied over to another device, allows direct access to the compromised Facebook account. So, after testing this out multiple times, Wright contacted Facebook and proceeded to create a few proofs of concept. At this point, while the vulnerability is still being resolved, Wright was able to grab plists directly from any device plugged into a computer with a bit of software.
This means shared and public computers are where the real threat exists, because the security hole can be tapped anytime a device is plugged in, gathered and used maliciously.
From Wright’s blog:
Facebook are aware and working on closing the hole, but unless app developers follow suit and start encrypting the 60 day access token Facebook supplies, it’s only a matter of time before someone starts using the info for ill purpose…if they aren’t already.
Until Facebook plug the hole, I’ll be thinking twice about plugging my devices into a shared PC, public music docks or “charging stations”.
Luckily, we have yet to hear of any such attempts, but it’s a good thing that Wright opted to report the issue directly to Facebook instead of abusing it. Still, these issues deserve attention, giving credit to the “white hat” developer while calling Facebook out on their missteps.