Although Facebook says that a vulnerability allowing someone to access another user’s account only affects jailbroken iPhones, two reports say that’s not the case.
U.K. app developer Gareth Wright and The Next Web have separately confirmed that the issue, which originates from Facebook’s iPhone application, actually affects any iPhone, and not just those that have been jailbroken.
Wright announced his findings earlier this week. He claims that Facebook’s iPhone application includes a vulnerability that fails to encrypt log-on credentials when a user accesses the social network from its mobile application. Wright said that he then came across a Facebook access token in the Draw Something game, which he copied, and after using the Facebook Query Language, extracted the information contained within.
“Sure enough, I could pull back pretty much any information from my Facebook account,” he wrote. He went on to say that the app’s property list contained all the information needed to allow someone else to access a person’s Facebook account, send private messages, and do whatever else they wanted on the site.
In a statement to CNET yesterday, Facebook said the issue only affects jailbroken devices.
“Facebook’s iOS and Android applications are only intended for use with the manufacture provided operating system, and access tokens are only vulnerable if they have modified their mobile OS (i.e. jailbroken iOS or modded Android) or have granted a malicious actor access to the physical device,” the social network said in a statement.
In addition to Wright, The Next Web, which re-created the hack, confirmed that it “does not require a jailbreak.”
But the blog also went one step further and found that Dropbox also suffers from the same flaw, leaving the application open to a so-called “plist,” or property list, hack.
“We copied the .plist from one device with the app installed and logged in, over to another which had a fresh installation of Dropbox on it,” The Next Web said. “The profile copied and it worked seamlessly, as if we had logged on ourselves, which we had not.”
One other interesting tidbit from the findings on Dropbox: the hack will even work on an iPhone protected by a passcode.
“Dropbox’s Android app is not impacted because it stores access tokens in a protected location,” a company spokesperson told CNET in an e-mailed statement. “We are currently updating our iOS app to do the same. We note that the attack in question requires a malicious actor to have physical access to a user’s device. In a situation like that, a user is susceptible to all sorts of threats, so we strongly advise safeguarding devices.”
Facebook did not immediately respond to CNET’s request for comment on these latest developments.
- Facebook says ID theft threat only on jailbroken phones
- iPhone security hole lets apps run unsigned code
- Apple boots security guru who exposed iPhone exploit
- CNET’s review of the Apple iPhone 4S
Originally posted at Apple
Don Reisinger is a technology columnist who has written about everything from HDTVs to computers to Flowbee Haircut Systems. Don is a member of the CNET Blog Network, posting at The Digital Home. He is not an employee of CNET.