Earlier this week, a Facebook app developer reported that he had found a security hole which allows the log-in information sent to Facebook from a variety of mobile devices to be hacked. Facebook quickly responded that the vulnerability only affected devices that had been “jailbroken” to remove security measure, but more recent investigations appear to confirm the original claim.
The vulnerability was discovered by Gareth Wright, who found that the Facebook access token required by a game on his phone called Draw Something was stored by the that app in plain text, rather than being encrypted.
After further experimentation, he came across a property list with an unencrypted authorization key that provided full access to his Facebook account. He sent this “plist” to a friend, who “copied mine over to his device and opened the Facebook app… My jaw dropped as over the next few minutes I watched posts appear on my wall, private messages sent, webpages liked and applications added. Scoopz then opened Draw Something on his iPad which logged him straight into my account where he sent some pictures.”
According to The Next Web, this vulnerability has been determined to affect the Facebook app for mobile devices running iOS and possibly Android, as well as iOS devices using the file-syncing app Dropbox.
Facebook responded to questions about the vulnerability with a statement which said, “Facebook’s iOS and Android applications are only intended for use with the manufacturer provided operating system, and access tokens are only vulnerable if they have modified their mobile OS (i.e. jailbroken iOS or modded Android) or have granted a malicious actor access to the physical device.”
This initially appeared plausible. As explained by CNET, “What Wright apparently didn’t reveal was that the plist is designed to be offlimits to all except the app itself unless the device is already jailbroken. While jailbreaking or rooting phones gives the owner access to install and change apps they wouldn’t normally be able to do, it also disables the device’s built-in security measures.”
Wright, however, dismissed Facebook’s claim as “rubbish.” The Next Web also concluded that “this is completely untrue. Your Facebook app on iOS is absolutely vulnerable because using a tool like iExplore, which is what Wright used to perform his white label hack, does not require a jailbreak. … As a matter of fact, we have duplicated the Facebook hack here at TNW labs (using our own devices) and it works perfectly well without a jailbreak.”
The site goes on to explain that Facebook is technically connect that a non-jailbroken device is vulnerable only if you “have granted a malicious actor access” — but that this could happen any time your phone is connected to a public computer or charging station on which a malicious app has been installed. It therefore recommends that users either avoid public computers and charging stations or set a passcode before connecting to them.
CNET, however, added on Friday that the Dropbox hack “will even work on an iPhone protected by a passcode.” So although there are no reports to date of anyone who has actually been the victim of this vulnerability, it would appear safest to avoid possible sources of danger until Facebook and Dropbox can confirm that the problem has been resolved.
Muriel Kane is an associate editor at Raw Story. She joined Raw Story as a researcher in 2005, with a particular focus on the Jack Abramoff affair and other Bush administration scandals. She worked extensively with former investigative news managing editor Larisa Alexandrovna, with whom she has co-written numerous articles in addition to her own work. Prior to her association with Raw Story, she spent many years as an independent researcher and writer with a particular focus on history, literature, and contemporary social and political attitudes. Follow her on Twitter at @Muriel_Kane
Raw Story is a progressive news site that focuses on stories often ignored in the mainstream media. While giving coverage to the big stories of the day, we also bring our readers' attention to policy, politics, legal and human rights stories that get ignored in an infotainment culture driven solely by pageviews.
Founded in 2004, Raw Story reaches 9 million unique readers per month and serves more than 30 million pageviews.