Security hole exposes Android, iOS to Facebook identity theft

Security hole exposes Android, iOS to Facebook identity theft

Summary: A new security vulnerability discovered in Facebook for Android and Facebook for iOS means your Facebook identity can be stolen if you use an Android phone, Android tablet, iPhone, and/or iPad.


Update: Facebook: Android, iOS security hole only for jailbroken devices

Gareth Wright, a U.K.-based app developer for Android and iOS, has discovered a security hole in Facebook's native mobile apps that he says can be used to steal personal information about you. The problem is that Facebook's apps for the two platforms do not encrypt your login credentials, meaning they can be easily swiped over a USB connection, or more likely, via malicious apps.

Wright detailed the issue in a blog post titled "Facebook Mobile Security Hole allows Identity theft." He explained that all a hacker needs is to grab your Facebook plist file (.plist is the extension used for a property list file, often used to store a user's settings), which Facebook reportedly sets not to expire for another 2,000 years.

From there, he or she can back up his or her own plist, log out of Facebook, and copy yours to his or her device. When the Facebook app is opened, the hacker is logged into Facebook as you. He or she has complete access to your account. If that's not bad enough, this also means the hacker can log into other apps on his or her device that require a Facebook login.

This all started when Wright began poking around in a few application directories using the free tool iexplorer (previously iphone explorer), and stumbled into a plain text Facebook access token in the popular Draw Something app by OMG POP (now owned by Zynga). Since Draw Something requests offline access to your account, he copied the hash and tested a few Facebook Query Language (FQL) queries. He said he could pull back pretty much any information from his Facebook account. These tokens run out after 60 days, but that's enough for hackers to grab some confirmed e-mail addresses and other basic information.

That's not all. When Wright checked the Facebook app, he quickly discovered a whole bunch of cached images and the "com.Facebook.plist." It didn't just contain an access token, but a full oAuth key in plain text. Even more worryingly, the expiry for the plist was set to Jan 1, 4001.

Here's what happened when Wright sent his .plist over to his friend and blogger, Scoopz:

After backing up his own plist and logging out of Facebook he copied mine over to his device and opened the Facebook app… My jaw dropped as over the next few minutes I watched posts appear on my wall, private messages sent, webpages liked and applications added. Scoopz then opened Draw Something on his iPad which logged him straight into my account where he sent some pictures back to my friends.

In his post, Wright outlined five proof of concepts for the attack:

  1. A hidden application which runs on shared PC's Any device plugged in to charge has the Plist copied.
  2. A recompile of an open source iphone explorer like program with the added code.
  3. A saved game editing tool with the added code.
  4. A credit card sized hardware solution that takes all of two seconds to copy the plist should you have physical access to an iDevice.
  5. A modified speaker dock.

Wright wrote some code to harvest Facebook plist file from phones. Over the course of a week, he grabbed more than 1,000 plist files. He said he deleted them and contacted Facebook.

Menlo Park is already working on a fix, according to Wright, but he says that's not enough:

Facebook are aware and working on closing the hole, but unless app developers follow suit and start encrypting the 60 day access token Facebook supplies, it's only a matter of time before someone starts using the info for ill purpose…if they aren't already. Until Facebook plug the hole, I'll be thinking twice about plugging my devices into a shared PC, public music docks or "charging stations".

Unlike on other platforms, Facebook develops the social network's apps for Android and iOS. Everyone else develops the Facebook app for their respective platform (RIM for BlackBerry, Microsoft for Windows Phone, HP for webOS, and so on). As such, Facebook appears to be the only party responsible for this vulnerability.

I have contacted Facebook about this issue and will update you when I hear back.

Update: Facebook: Android, iOS security hole only for jailbroken devices

See also:

Topics: Security, Apple, Apps, Mobile OS, Social Enterprise

Emil Protalinski

About Emil Protalinski

Emil is a freelance journalist writing for CNET and ZDNet. Over the years,
he has covered the tech industry for multiple publications, including Ars
Technica, Neowin, and TechSpot.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • But iOS is immune to malware!

    That's why I use iOS and not Android, because Android gets malware and iOS doesn't. Wait a minute....
    • You Sir Are an Idiot!

      iOS CAN get malware; just not nearly as easily or from as many sources as Android (and undoubtedly WP).
      • You sir, lack english comprehension!

        Can't you tell that the dude was being sarcastic?
  • Something missing

    If you have have physical in hand to use this exploit what does jail broken have to do with it?
  • It's how Oauth is supposed to work

    You can't make it much more secure than that, If I understood Oauth 2.0 right. The app needs the token to use facebook api.You can encrypt the token, but you have to store the key somewhere anyway, so what's the point? An attacker still need access to the device. If your phone get stolen, you can revoke the authorization to the app and the token won't be valid anymore. Or am I missing something?
  • Pretty silly really

    I don't know enough about Android to comment on it, but I'm imagining it's similar to iOS.

    With iOS, you'd need the iPhone to be jailbroken, but you'd also need to be able to log in as root or mobile, which remote login is disabled by default, and you're warned extensively to change your root/mobile passwords if you do enable SSH.

    If you did have SSH enabled on a jailbroken iPhone, and someone did remote log in as either root or mobile due to your foolishly not setting up proper passwords, the last thing I'd be worried about would be someone accessing my Facebook account. I'd be more worried about all the other stuff they could do.
  • Slack

    One of the primary reasons people are using Jailbreaked devices in the first place, is that manufactors of phones and network providers are just plain hopeless at rolling out new updates.

    Many users are screeming out for ICS on there devices, and are using Roms (Jailbroken images of the operating systems).

    Really how much do you trust the guys who are hacking the images, how good are you at know exactly what should and should'nt be running. Just because you call a hacker a 'Developer', wont mean he/she wont have designs on your stuff!

    If you really have nothing worth looking at, or keeping on your phones/tablets then hack away. Otherwise keep it safe!!
  • good post

    This is a nice post in an interesting line of content.Thanks for sharing this article, great way of bring this topic to discussion. <a href="">Corporate Law lawyers</a>
  • Corporate Law lawyers

    This is a nice post in an interesting line of content.Thanks for sharing this article, great way of bring this topic to discussion.
  • good post

    Nice post. I like the way you start and then conclude your thoughts. Thanks for this information .I really appreciate your work, keep it up <a href="">section125guide</a>
  • games

    hey that's really a great post and i like this and thanks for sharing it with us!I have

    read a few of the articles on your website now because I was looking for information about

    games App. and I really like your style of blogging.
    Kill The Pacman
  • Good Post

    Hi. I visited your site for the first time and just been your fan. Keep posting as I’m gonna come to read it everyday ! Thanks.
    Alex Gertelo
  • hi

    Thanks for sharing your idea with's really a knowledgeable blog and i recommend this to my other friend also.
    Sonu Singh11