A serious security glitch has been discovered in Facebook iOS app that could enable hackers to access your account. It comes highly recommended nowadays, that users stay away from using public computers and charging stations for a while. Apparently, Facebook’s iOS don’t encrypt user’s logon credentials, leaving them exposed in a folder accessible to other apps or USB connections.
This is some of what he mentioned in his report :
I stumbled into a plain text Facebook access token in the popular Draw Something by OMG POP.Facebook has responded, giving out the following statement:
That in itself isn’t strange but as Draw Something requests offline access to your account I copied the hash and tested a few FQL queries.
Sure enough I could pull back pretty much any information from my Facebook account.
As of the 1st of May 2012 these tokens run out after 60 days but aside from that a simple .net tool could easily snaffle this info and grab a fair whack of confirmed email addresses and marketing info.
Not good, but then I had to wonder what the Facebook app stored.
Popping into the Facebook application directory I quickly discovered a whole bunch of cached images and the com.Facebook.plist
What was contained within was shocking.
Facebook’s iOS and Android applications are only intended for use with the manufacturer provided operating system, and access tokens are only vulnerable if they have modified their mobile OS (i.e. jailbroken iOS or modded Android) or have granted a malicious actor access to the physical device.For more on this story, you can check out the article by {The Next Web}
We develop and test our application on an unmodified version of mobile operating systems and rely on the native protections as a foundation for development, deployment and security, all of which is compromised on a jailbroken device.
No comments:
Post a Comment