Facebook security hole jeopardizes iPhone, Android devices

A security flaw in Facebook’s mobile apps can be easily tapped by thieves searching for personal information about you.

The problem is that Facebook’s app for iOS and Android devices doesn’t encrypt your login credentials, making them a sitting duck for bad apps or a poisoned USB connection.

“A rogue application, or two minutes with a USB connection, are all that’s needed to lift the temporary credentials from either device,” Bill Ray wrote in The Register.

The security hole was discovered by Gareth Wright, a UK-based developer of apps for iOS and Android devices.

Wright, writing in a blog, says he discovered the flaw while poking around some of the application directories in his iPhone with a free tool for doing that. In the course of his prodding, he discovered a Facebook access token in one of the games on his phone.

After copying the token’s code, he used it to extract information from Facebook using the Facebook Query Language. “Sure enough, I could pull back pretty much any information from my Facebook account,” he wrote. And if he could do that, anyone who snatched one of those tokens could do it, too.

Wright’s experience with the token stirred his curiosity about the Facebook app itself. Poking around in that app’s directory, he observed, “What was contained within was shocking.” Inside the app’s plist — a plain text file containing a user’s settings — there was an unencrypted key that gave whoever had it full access to a Facebook account.

As an experiment, Wright sent his plist to a friend. The friend substituted Wright’s plist for his own.

“My jaw dropped as over the next few minutes I watched posts appear on my wall, private messages sent, web pages liked and applications added,” Wright wrote.

Ever the scientist, Wright decided to illustrate how a hacker could harvest plists from phones. He wrote some code that could be used to infect PCs, software, even a speaker dock. The code countered the plists of any device it came in contact with — although it could be easily tweaked to copy the lists.

Over the course of a week, more than 1,000 plists were located and counted, Wright wrote.

The developer has informed Facebook of the flaw and the social networking giant told him it is working on a fix. But, he noted, even if Facebook plugs the hole in its app, its members still remain vulnerable to an attack by using the plain text token that many developers are storing in their games’ plists.

Earlier this year, the Facebook Android app was cited as one of several that spied on SMS messages created on the phones it was installed on. Facebook denied that accusation. Although its app requests permissions to receive, process and write text messages as well as read those communications, the app doesn’t use those permissions, Facebook said.

Follow freelance technology writer John P. Mello Jr. and [email protected] on Twitter.


Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Related Tech News

Get ITBusiness Delivered

Our experienced team of journalists brings you engaging content targeted to IT professionals and line-of-business executives delivered directly to your inbox.

Featured Tech Jobs