Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Facebook and Dropbox Apps for iOS Vulnerable to Credential Theft

MacRumors

MacRumors

macrumors bot
Original poster
Apr 12, 2001
63,490
30,731



Earlier this week, Gareth Wright disclosed his recent work showing that Facebook's app for iOS contains a security vulnerability that could allow malicious users to access login credentials held in a .plist file associated with the app. Obtaining a copy of that .plist file could allow a malicious users to automatically login in to the affected user's account on another device. The flaw reportedly also exists on Android devices.

Wright first discovered the issue while using iExplorer to browse files on his iPhone, discovering that the Facebook .plist file maintains the full oAuth key and secret needed to access his account in plain text. Working with a friend, Wright was able to demonstrate that simply moving that .plist file to another device granted that device access to his Facebook account.
After backing up his own plist and logging out of Facebook he copied mine over to his device and opened the Facebook app...

My jaw dropped as over the next few minutes I watched posts appear on my wall, private messages sent, webpages liked and applications added.

Scoopz then opened Draw Something on his iPad which logged him straight into my account where he sent some pictures back to my friends.
Click to expand...
Wright outlines a number of different ways in which a malicious user could obtain the login credentials, including customized apps, hidden applications installed on public PCs, or hardware solutions such as a modified speaker dock that could siphon the data.

Facebook has issued a statement claiming that the issue only affects devices that have been jailbroken or lost, as it requires either installation of a custom app or physical access to the device. But as pointed out by Wright and confirmed by The Next Web, unmodified devices need not be lost in order to be targeted, as simply plugging in a device to a compromised computer or accessory would be sufficient to allow the data to be gathered.

ios_dropbox_plist.jpg



Dropbox .plist file seen through iExplorer (Source: The Next Web)
Furthermore, The Next Web has confirmed that the same issue affects Dropbox for iOS, similarly allowing a user to simply copy the .plist file from one device to another in order to gain access to the account. Given that two high-profile apps are vulnerable to credential theft, it seems likely that other services are also affected by the same issue.

As multiple reports note, there is no evidence that this method of collecting login credentials is actively being used in a malicious manner, and users can protect themselves for the time being by not connecting their devices to public computers or charging stations.

Update: While Wright's initial post claims that the issue affects "locked passcoded unmodified iOS Devices" when connected to a PC set up to capture the .plist file, The Next Web has now updated its report to indicate that in its testing the technique does not work on devices protected with a passcode.

Article Link: Facebook and Dropbox Apps for iOS Vulnerable to Credential Theft
 
Article Link
https://www.macrumors.com/2012/04/06/facebook-and-dropbox-apps-for-ios-vulnerable-to-credential-theft/
Feed Me

Feed Me

macrumors 6502a
Jan 7, 2012
831
6
Location Location
The only way to get a hold of these files is with physical access to the phone. Pretty scary though. Especially if your phone's nicked.

Facebook's claim that jailbroken devices are inherently vulnerable to this is just plain, plain wrong. The only way that a jailbroken device would be more vulnerable is through SSH being installed voluntarily by the user, and the root password not being changed.
 
Last edited:
D

Davidb57b

macrumors newbie
Feb 21, 2012
13
0
Passcode

A good reason to use the Passcode function with simple passcode turned off and erase data function on.
 
LimeiBook86

LimeiBook86

macrumors G3
May 4, 2002
8,001
45
Go Vegan
And now the rush to fix these issues! Pretty scary, but at least the pressure is on to fix these right away and at the moment it looks like a physical dock connector connection is required.
 
SandboxGeneral

SandboxGeneral

Moderator emeritus
Sep 8, 2010
26,482
10,051
Detroit
I certainly hope these companies fix this ASAP. I don't use Facebook, so I'm alright there, but I do use Dropbox.

Agreed with someone above that this is sloppy programming. It still amazes me in this day that folks don't consider security when they create apps and such that require authentication.
 
F

FrizzleFryBen

macrumors 6502
Dec 14, 2009
453
179
Charlotte, NC
This is exactly why I refuse to have the FB app on my phone and I NEVER log into apps using my FB account. Turns out I'm not as crazy as my friends think I am.
 
invalidname

invalidname

macrumors member
May 1, 2003
64
9
Grand Rapids, MI
amarcus said:
Sloppy programming. This sort of information should be stored in Keychain!
Click to expand...

Exactly. Apple makes it very clear that any sensitive information goes in the Keychain. It's not the easiest API in the iOS SDK, but anyone getting paid to write apps should be able to muscle through it.

The other thing that's obscene about the Facebook app for iOS is that it caches every element of every web page you visit with the app. Check your usage and Facebook could easily be gobbling multiple GB. Details on my blog: Facebook for iOS Pigs Out
 
B

bse3

macrumors member
Dec 27, 2011
55
0
SandboxGeneral said:
I certainly hope these companies fix this ASAP. I don't use Facebook, so I'm alright there, but I do use Dropbox.

Agreed with someone above that this is sloppy programming. It still amazes me in this day that folks don't consider security when they create apps and such that require authentication.
Click to expand...

Especially when Apple provides well-documented APIs exactly for that via their Keychain APIs.
 
TheDutchGuy

TheDutchGuy

macrumors member
Mar 16, 2012
33
1
Europe
FrizzleFryBen said:
This is exactly why I refuse to have the FB app on my phone and I NEVER log into apps using my FB account. Turns out I'm not as crazy as my friends think I am.
Click to expand...

I do use FB on my iPhone, but I never use my FB account to login to other apps/websites either... I still prefer to create an account manually... This is one of the reasons, the other is that I don't like others to be able to write on my wall or something...
 
B

bse3

macrumors member
Dec 27, 2011
55
0
dizastor said:
This has been a good week for the Apple security team
Click to expand...

What does the security of the Facebook and Dropbox Apps have to do with the Apple Security Team? This is about lazy developers, not utilizing stuff that is there.
 
3

3282868

macrumors 603
Jan 8, 2009
5,281
0
Facebook

Apple engineers and even Geniuses in the retail stores will tell you (and rightfully) that Facebook is a poorly written application. Aside from the aforementioned issue, Facebook is a memory hog and one of the reasons for battery drain. Check your logs on your iPhone (Settings -> General -> About -> Diagnostics & Usage -> Diagnostics & Usage Data), you should find LowMemory and other logs related to Facebook. Closing the app in the multitasking bar should speed up your iOS device, especially for older devices, while cutting back on battery usage.

Apple has been on Facebook regarding this issue but to no avail. With Facebook's popularity they seem to have Apple by the nads.

Noticed a negative vote, don't understand why as the information I provided is based on evidence/fact and I hope would be beneficial to some. I wish MacRumors would disengage this silly negative voting system as it truly serves no purpose other than to inflame others. Positive votes for truly helpful posts seems more logical and would support a more mature site. :)
 
Last edited by a moderator:
JonneyGee

JonneyGee

macrumors 6502
Jun 8, 2011
358
1,222
Nashville, TN
Honestly it sounds like Android is much more vulnerable than iOS to this issue, as every Android phone is essentially jailbroken. iOS users would either have to tether or jailbreak to be affected, but Android users (and iOS jailbroken users) could be affected by rogue apps. Security issues like this are the main thing keeping me from jailbreaking my phone.
 
iSee

iSee

macrumors 68040
Oct 25, 2004
3,539
272
MacRumors said:
...Facebook has issued a statement claiming that the issue only affects devices that have been jailbroken or lost, as it requires either installation of a custom app or physical access to the device
Click to expand...

That's not true. Apparently Arstechnica needs to use their basic English skills to actually read the facebook statement. E.g., Facebook never mentions that the phone needs to be lost. Where did that come from?

What they say is that the app is vulnerable only when either the phone is jailbroken or a malicious actor has physical access to the device.

This matches what Gareth Wright found.

Facebook could definitely clarify what "granted a malicious actor access to the physical device" means. E.g, plugging your device into a compromised computer (or other device) counts as physical access by a malicious actor. Hopefully people don't plug their phones into random unknown computers too much anyway.
 
TallManNY

TallManNY

macrumors 601
Nov 5, 2007
4,735
1,588
Every Facebook user should assume that their account can, will be and possibly already is hacked. The service is not secure. Facebook, as a company from the top down, does not believe in security and privacy anyway. Even unhacked, much of your data goes to every app that you connect to. Who knows what group is behind those apps when you connect initially. How about three years later? A failed Apps last asset before that company closes up shop is probably to sell their Facebook accounts. Some dorky game that you played five times three years ago might have changed hands a dozen times since you clicked on it. Every new entity buying that App got access to your account. Do you think Facebook is policing those entities?

The correct way to deal with this is to not have anything confidential or private on Facebook. It is designed for public consumption, which is fun and useful. It is not designed as a private storage site or private means of communication. All messages sent on Facebook should be considered public by the senders. Use it the right way, and don't worry about it being hacked anymore than someone looking up your name in the phone book.

Now Dropbox, that is another issue. That should be decently private. I suspect this will get fixed though.
 
foodog

foodog

macrumors 6502a
Sep 6, 2006
911
43
Atlanta, GA
In other news..... people who don't have password protection on their phones have a high probability of data compromise when they lose their phone.
 
charlituna

charlituna

macrumors G3
Jun 11, 2008
9,636
816
Los Angeles, CA
jasonxneo said:
whats going on apple? its been nothing but java vulnerabilities and credentials thefts the past 2 days! :confused:
Click to expand...

FUD and hyperbole much.

Java is the responsibility of Oracle not Apple

And these 'thefts' aren't a major issue since most of the world doesn't jailbreak or lose their phones. Which are the only ways to get the info off the phones
 
Feed Me

Feed Me

macrumors 6502a
Jan 7, 2012
831
6
Location Location
JonneyGee said:
Honestly it sounds like Android is much more vulnerable than iOS to this issue, as every Android phone is essentially jailbroken. iOS users would either have to tether or jailbreak to be affected, but Android users (and iOS jailbroken users) could be affected by rogue apps. Security issues like this are the main thing keeping me from jailbreaking my phone.
Click to expand...

Actually, jailbreaking has nothing to do with this. Unjailbroken devices are just as vulnerable.
 
FloatingBones

FloatingBones

macrumors 65816
Jul 19, 2006
1,485
745
MacRumors said:
As multiple reports note, there is no evidence that this method of collecting login credentials is actively being used in a malicious manner, and users can protect themselves for the time being by not connecting their devices to public computers or charging stations.
Click to expand...

I suggest adding a clause to that statement:

...or by using a cable that only has no data connection when charging your device with an untrusted source.

That was a very good article by the MR staff. I wouldn't have thought of embedded a data-stealing widget into a public power station, but it's certainly possible.

Do any hardware vendors sell a tiny USB dongle that passes through power but blocks data transfer?
 
Feed Me

Feed Me

macrumors 6502a
Jan 7, 2012
831
6
Location Location
charlituna said:
FUD and hyperbole much.

Java is the responsibility of Oracle not Apple

And these 'thefts' aren't a major issue since most of the world doesn't jailbreak or lose their phones. Which are the only ways to get the info off the phones
Click to expand...

Apple made Java their responsibility when they stopped shipping Oracle's Java and started their own updates.
 
S

seppler

macrumors newbie
Jul 8, 2008
14
0
A passcode lock on the iPhone will prevent it from pairing with an unknown computer. This will allow you to charge without giving access to the iPhone's file system.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom