UPDATED: Facebook Security assured users on Thursday who access their Facebook account via Android or iOS devices that mobile sessions on the social networking site aren’t vulnerable to hacking. However, research published this week suggests otherwise.
A blog entry posted by UK-based mobile application developer Gareth Wright suggests that users who have their mobile phones compromised may be subject to account takeover attacks.
Writing on Tuesday, Wright identified an alleged problem in the social network’s plain text access token, ‘com.Facebook.plist.’ Wright was able to take the unencrypted token, available in the application’s directory, and copy it to a friend’s device. After his friend removed his own token, he was able to see all of Wright’s personal Facebook posts, messages and likes on his own phone without even logging in.
The hole raises concern for anyone who may plug their phone into public computers or modified public charging stations, putting their .plist files in danger of being swiped by malware residing on those machines, Wright said.
Attack scenarios include a hidden application which runs in the background on shared PCs and copies Plists from machines that are attached to it. Alternatively, attackers could devise a tool for copying plists from mobile devices that they had physical access to.
Wright’s findings prompted Facebook’s security group to issue a statement Thursday afternoon that claimed users accessing Facebook.com from an iOS or Android were only vulnerable if using a jailbroken iOS or modded Android device. The update insists that Facebook’s application is only for use with its manufacture-provided operating system, and suggests that if a “malicious actor” were granted access to the physical device, it could be vulnerable.
However, Wright’s hack, which used the app iExplore to browse iOS files, doesn’t require a jailbroken iPhone. Further research from writers at TheNextWeb.com on Friday helped verify his findings and also found that file-syncing app Dropbox, which has been taking security heat of its own lately, also demonstrates the vulnerability.
In an interview with ZDNet, Wright claims Facebook “are aware and working on closing the hole.” yet it’s not known whether Dropbox are aware and taking action to fix the similar, purported vulnerability.
In a statement, Dropbox said that the company’s Android application was not affected because it stores access tokens in a protected location. “We are currently updating our iOS app to do the same. We note that the attack in question requires a malicious actor to have physical access to a user’s device. In a situation like that, a user is susceptible to all sorts of threats, so we strongly advise safeguarding devices,” said the statement from a Dropbox spokeswoman.
Facebook is reportedly working on a fix for the plist problem.