Let’s clear this up quickly: Yes, there’s a security hole in the Facebook app. The Next Web also confirmed the same issue in the Dropbox app. The good news is this: It’s very unlikely anyone would get your info this way.
Someone would have to have physical access to your iPhone, and you’d have to allow them to plug it into their Mac, then allow them to do a bunch of business on your phone to grab a plain text file from inside these apps, then they’d have to go and do something malicious on your Facebook or Dropbox accounts.
Although many have reported jailbreak is required to access this hole, that is simply not true. A Mac app like iExplorer, which allows you to open app folders on an iPhone, will allow you to access the security hole.
It works like this: iOS apps use little text files, .plist files (aka property list files), to store all sorts of little things about an app. In this case, Dropbox and Facebook are using an unencrypted property list to apparently store both the oauth key and its secret counterpart.
That’s…astonishingly naive. (I wonder how many apps don’t do this as well). Apple provides a secure mechanism called the system keychain which is meant for exactly this, providing a non-visible storage of sensitive data.
By using iExplorer to find the right plist, that file can be copied and dropped into another device, which would then be able to access your account as though you had already logged in. Using a property list in this way leaves us scratching our heads.
Facebook issued a comment saying they will patch this soon. I haven’t seen any statement from Dropbox yet. That being said, this was a dumb mistake on Facebook’s and Dropbox’s parts — they should have known better.
Update: Dropbox issued a statement as well, noting the Android version doesn’t suffer from this vulnerability. Also, they are working on a fix now. Their statement is pasted below.
The Next Web did a little more testing and discovered you can’t do this if you have set a passcode on your device.
From Dropbox:
We are currently updating our iOS app to do the same. We note that the attack in question requires a malicious actor to have physical access to a user’s device. In a situation like that, a user is susceptible to all sorts of threats, so we strongly advise safeguarding devices.
Facebook, Dropbox iOS apps contain security hole that could allow identity theft (Updated) originally appeared on TUAW – The Unofficial Apple Weblog on Fri, 06 Apr 2012 10:45:00 EST. Please see our terms for use of feeds.
Source | Permalink | Email this | Comments