Earlier today, security researcher Gareth Wright revealed the discovery of a security hole in the Facebook app for mobile devices running iOS and possibly Android. The simple ‘hack’ allows a user to copy a plain text file off of the device and onto another one. This effectively gives another user access to your account, profile and all on that iOS device.
Now, The Next Web has discovered that popular file-syncing app Dropbox also exhibits the vulnerability. Updated with statement from Dropbox below.
As we noted earlier, the vulnerability lies with the app itself, as it stores this information in plain text, rather than encrypting or packaging it so that it cannot be accessed.
Facebook has responded, sending out the following statement:
Facebook’s iOS and Android applications are only intended for use with the manufacturer provided operating system, and access tokens are only vulnerable if they have modified their mobile OS (i.e. jailbroken iOS or modded Android) or have granted a malicious actor access to the physical device.
We develop and test our application on an unmodified version of mobile operating systems and rely on the native protections as a foundation for development, deployment and security, all of which is compromised on a jailbroken device.
At first glance, the statement appears to indicate that you’re only vulnerable to this kind of profile theft if you jailbreak your device. We have confirmed that this is completely untrue. Your Facebook app on iOS is absolutely vulnerable because using a tool like iExplore, which is what Wright used to perform his white label hack, does not require a jailbreak.
Unfortunately, somearticles have been written that emphasize the jailbreaking aspect of this, when in fact it only makes it slightly more vulnerable and does nothing to change the fact that non-jailbroken phones are also vulnerable.
As a matter of fact, we have duplicated the Facebook hack here at TNW labs (using our own devices) and it works perfectly well without a jailbreak.
If you read the Facebook statement carefully, however, it does cover its bases when it states that you are vulnerable if you have ‘granted a malicious actor access to the physical device.’ That is absolutely true, your device would need to be accessed physically somehow, but it doesn’t mean that it would need to be stolen or that another person would even need to touch it.
If a program was running on a public computer, or if someone had modified a public charging station to siphon off the plain-text .plist file, they could theoretically gain access to that information, whether you’re jailbroken or not.
Your phone doesn’t need to be stolen if a malicious app was installed on a public system. Wright even made such an app as a proof-of-concept, gathering over 1,000 .plist files in a week before contacting Facebook about the problem.
The long and short of it is that regular, non-jailbroken devices are vulnerable to this because it is a flaw in the way that Facebook stores that .plist file containing your information. Facebook is obviously aware of the issue and should be issuing an update to fix it soon.
The Next Web was tipped that another popular app, Dropbox, also exhibits the same .plist usage error. We checked and the information was correct, allowing us to copy a profile from one un-jailbroken device to another using iExplore. This means that Dropbox, like Facebook, is vulnerable to any malicious software that could be written to collect these .plist files.
We copied the .plist from one device with the app installed and logged in, over to another which had a fresh installation of Dropbox on it. The profile copied and it worked seamlessly, as if we had logged on ourselves, which we had not.
We have reached out to Dropbox to see if it has a statement regarding the use of the plain-text files to store user profile information.
At this point, it’s clear that the handling of these files needs to be checked by every developer who’s app stores profile information. If Facebook and Dropbox are doing it, then other apps are very likely doing it as well.
If you’re a user of either of these apps, you shouldn’t panic. Stay away from public charging stations and computers until the apps have received updates to fix the problem, but otherwise you should be just fine.
Note that this method for copying a file does not work on ‘foreign’ machines if you have a passcode set. It will work on any computer that you have connected to and synced once, but not on a public computer which has never connected to your device. So, as is always best practice, set a passcode before using your iPhone with public devices or charging stations and you should be safe.
There is no evidence that anyone is using this method to collect information as of yet, but, as Wright told Zdnet, “Facebook are aware and working on closing the hole, but unless app developers follow suit and start encrypting the 60 day access token Facebook supplies, it’s only a matter of time before someone starts using the info for ill purpose…if they aren’t already.”
Update: We have received the following statement from Dropbox, noting that its Android app is not susceptible to this security issue and that it will update the iOS app to fix it as well. Hopefully other companies will take a look at how they’re handling these plain text tokens and do the same.
Dropbox’s Android app is not impacted because it stores access tokens in a protected location. We are currently updating our iOS app to do the same. We note that the attack in question requires a malicious actor to have physical access to a user’s device. In a situation like that, a user is susceptible to all sorts of threats, so we strongly advise safeguarding devices.
Update: We’ve performed further testing and found that if your device has a passcode set, this method for transferring a .plist file off of the device will not work. We’ve updated the article to reflect that.