Facebook ID theft threat impacts iPhones, Dropbox

Although Facebook says that a vulnerability allowing someone to access another user's account only affects jailbroken iPhones, two reports say that's not the case.

(Credit: CNET)

UK app developer Gareth Wright and The Next Web have separately confirmed that the issue, which originates from Facebook's iPhone application, actually affects any iPhone, and not just those that have been jailbroken.

Wright announced his findings last week. He claims that Facebook's iPhone application includes a vulnerability that fails to encrypt log-on credentials when a user accesses the social network from its mobile application. Wright said that he then came across a Facebook access token in the Draw Something game, which he copied, and, after using the Facebook Query Language, he extracted the information contained within.

"Sure enough, I could pull back pretty much any information from my Facebook account," he wrote. He went on to say that the app's property list contained all the information needed to allow someone else to access a person's Facebook account, send private messages and do whatever else they wanted on the site.

In a statement to CNET, Facebook said that the issue only affects jailbroken devices.

"Facebook's iOS and Android applications are only intended for use with the manufacture provided operating system, and access tokens are only vulnerable if they have modified their mobile OS (ie, jailbroken iOS or modded Android), or have granted a malicious actor access to the physical device," the social network said in a statement.

In addition to Wright, The Next Web, which re-created the hack, confirmed that it "does not require a jailbreak".

But the blog went one step further, and found that Dropbox also suffers from the same flaw, leaving the application open to a so-called "plist", or property list, hack.

"We copied the .plist from one device with the app installed and logged in, over to another, which had a fresh installation of Dropbox on it," The Next Web said. "The profile copied and it worked seamlessly, as if we had logged on ourselves, which we had not."

One other interesting titbit from the findings on Dropbox: the hack will even work on an iPhone protected by a passcode.

Neither Facebook nor Dropbox immediately responded to CNET's request for comment on these latest developments.

Via CNET



Add Your Comment 1


Post comment as
 

PaulA1 posted a comment   
Australia

It's 'tidbit' not 'titbit' :)




Sponsored Links

Recently Viewed Products