Facebook And Dropbox Apps Vulnerable To Security Hole
by Brent Dirks
April 6, 2012
Both the Facebook and Dropbox iOS apps are vulnerable to a security hole, discovered by security researcher Gareth Wright, that could allow a third party access to your account and profile.
And as reported by The Next Web, your device doesn't have to be jailbroken for the hack to work.
The issue lies in how both apps store your profile information. Boiled down, your profile is stored by both apps in a plain text file that can easily be accessed or copied to another device. If the .plist file was encrypted or not accessible, the hack wouldn't work.
Facebook issued a statement when first asked about the issue:
Facebook's iOS and Android applications are only intended for use with the manufacturer provided operating system, and access tokens are only vulnerable if they have modified their mobile OS (i.e. jailbroken iOS or modded Android) or have granted a malicious actor access to the physical device. We develop and test our application on an unmodified version of mobile operating systems and rely on the native protections as a foundation for development, deployment and security, all of which is compromised on a jailbroken device.But, there is a slight problem. TNW was able to recreate the hack on its own devices that were not jailbroken. Using iExplorer, TNW was able to copy a Dropbox profile from one non-jailbroken device to another that contained a fresh installation of the app. The device with the fresh installation was started, and Dropbox worked exactly like it did on the other device with all of the correct login information. Surprisingly, your phone doesn't even have to be stolen for the hack to work. Someone could easily write a malicious program that could capture the .plist information on a public computer or charging station. Having a passcode set on your device won't help either since the entire file system isn't encrypted on your iOS device. Despite the scary news, there is no reason to break out in a cold sweat at this point if you use either one of these apps. First, there is no evidence that this vulnerability is being used by anyone in the real world to capture information, which is good news. And since your device would have to be physically accessed, use common sense and stay away from public computers or charging stations that look out of the ordinary until this vulnerability is fixed by both companies. For its part, Dropbox did issue a statement saying that the hole would be closed in a future update of its app. Facebook is said to be aware of the issue, as well. Hopefully, other developers are looking at how they use the .plist file and make sure that their apps don't have the same hole. Are you concerned about the vulnerability and how Facebook and Dropbox are handling the issue? (Image via VentureBeat)