Sunday, 8 April 2012

Security Hole In Facebook iOS App Allow Identity Theft

Post image for Security Hole In Facebook iOS App Allow Identity Theft
A serious security glitch has been discovered in Facebook iOS app that could enable hackers to access your account. It comes highly recommended nowadays, that users stay away from using public computers and charging stations for a while. Apparently, Facebook’s iOS don’t encrypt user’s logon credentials, leaving them exposed in a folder accessible to other apps or USB connections.

facebook ios app login
A Security researcher called Gareth Wright, published a post on his blog last Tuesday that describe how he discovered the loop hole in Facebook iOS app’s security.
This is some of what he mentioned in his report :

I stumbled into a plain text Facebook access token in the popular Draw Something by OMG POP.
That in itself isn’t strange but as Draw Something requests offline access to your account I copied the hash and tested a few FQL queries.
Sure enough I could pull back pretty much any information from my Facebook account.
As of the 1st of May 2012 these tokens run out after 60 days but aside from that a simple .net tool could easily snaffle this info and grab a fair whack of confirmed email addresses and marketing info.
Not good, but then I had to wonder what the Facebook app stored.
Popping into the Facebook application directory I quickly discovered a whole bunch of cached images and the com.Facebook.plist
What was contained within was shocking.
Facebook has responded, giving out the following statement:
Facebook’s iOS and Android applications are only intended for use with the manufacturer provided operating system, and access tokens are only vulnerable if they have modified their mobile OS (i.e. jailbroken iOS or modded Android) or have granted a malicious actor access to the physical device.
We develop and test our application on an unmodified version of mobile operating systems and rely on the native protections as a foundation for development, deployment and security, all of which is compromised on a jailbroken device.
For more on this story, you can check out the article by {The Next Web}

No comments:

Post a Comment