Security hole exposes Android, iOS to Facebook identity theft

A new security vulnerability discovered in Facebook for Android and Facebook for iOS means your Facebook identity can be stolen if you use an Android phone, Android tablet, iPhone, and/or iPad.
Written by Emil Protalinski, Contributor

Update: Facebook: Android, iOS security hole only for jailbroken devices

Gareth Wright, a U.K.-based app developer for Android and iOS, has discovered a security hole in Facebook's native mobile apps that he says can be used to steal personal information about you. The problem is that Facebook's apps for the two platforms do not encrypt your login credentials, meaning they can be easily swiped over a USB connection, or more likely, via malicious apps.

Wright detailed the issue in a blog post titled "Facebook Mobile Security Hole allows Identity theft." He explained that all a hacker needs is to grab your Facebook plist file (.plist is the extension used for a property list file, often used to store a user's settings), which Facebook reportedly sets not to expire for another 2,000 years.

From there, he or she can back up his or her own plist, log out of Facebook, and copy yours to his or her device. When the Facebook app is opened, the hacker is logged into Facebook as you. He or she has complete access to your account. If that's not bad enough, this also means the hacker can log into other apps on his or her device that require a Facebook login.

This all started when Wright began poking around in a few application directories using the free tool iexplorer (previously iphone explorer), and stumbled into a plain text Facebook access token in the popular Draw Something app by OMG POP (now owned by Zynga). Since Draw Something requests offline access to your account, he copied the hash and tested a few Facebook Query Language (FQL) queries. He said he could pull back pretty much any information from his Facebook account. These tokens run out after 60 days, but that's enough for hackers to grab some confirmed e-mail addresses and other basic information.

That's not all. When Wright checked the Facebook app, he quickly discovered a whole bunch of cached images and the "com.Facebook.plist." It didn't just contain an access token, but a full oAuth key in plain text. Even more worryingly, the expiry for the plist was set to Jan 1, 4001.

Here's what happened when Wright sent his .plist over to his friend and blogger, Scoopz:

After backing up his own plist and logging out of Facebook he copied mine over to his device and opened the Facebook app… My jaw dropped as over the next few minutes I watched posts appear on my wall, private messages sent, webpages liked and applications added. Scoopz then opened Draw Something on his iPad which logged him straight into my account where he sent some pictures back to my friends.

In his post, Wright outlined five proof of concepts for the attack:

  1. A hidden application which runs on shared PC's Any device plugged in to charge has the Plist copied.
  2. A recompile of an open source iphone explorer like program with the added code.
  3. A saved game editing tool with the added code.
  4. A credit card sized hardware solution that takes all of two seconds to copy the plist should you have physical access to an iDevice.
  5. A modified speaker dock.

Wright wrote some code to harvest Facebook plist file from phones. Over the course of a week, he grabbed more than 1,000 plist files. He said he deleted them and contacted Facebook.

Menlo Park is already working on a fix, according to Wright, but he says that's not enough:

Facebook are aware and working on closing the hole, but unless app developers follow suit and start encrypting the 60 day access token Facebook supplies, it's only a matter of time before someone starts using the info for ill purpose…if they aren't already. Until Facebook plug the hole, I'll be thinking twice about plugging my devices into a shared PC, public music docks or "charging stations".

Unlike on other platforms, Facebook develops the social network's apps for Android and iOS. Everyone else develops the Facebook app for their respective platform (RIM for BlackBerry, Microsoft for Windows Phone, HP for webOS, and so on). As such, Facebook appears to be the only party responsible for this vulnerability.

I have contacted Facebook about this issue and will update you when I hear back.

Update: Facebook: Android, iOS security hole only for jailbroken devices

See also:

Editorial standards