Facebook mobile users beware: Gareth Wright, an application developer from the United Kingdom recently made the discovery of a security holes in the social media’s app. Most particularly, this affects iOS and Android users because neither platforms encrypt login information. All it takes is for someone to swipe over a USB plug connection or one virus/trojan horse to infect the device and anyone can access that personal information.
His recent blog post goes more into detail on how this works:
Whilst poking around in a few applications directories using the free tool iexplorer (previously iphone explorer), I stumbled into a plain text Facebook access token in the popular Draw Something by OMG POP.
That in itself isn’t strange but as Draw Something requests offline access to your account I copied the hash and tested a few FQL queries.
Sure enough I could pull back pretty much any information from my Facebook account.
As of the 1st of May 2012 these tokens run out after 60 days but aside from that a simple .net tool could easily snaffle this info and grab a fair whack of confirmed email addresses and marketing info.
Not good, but then I had to wonder what the Facebook app stored.
Popping into the Facebook application directory I quickly discovered a whole bunch of cached images and the com.Facebook.plist
What was contained within was shocking.
Not an access token but full oAuth key and secret in plain text. Surely though, these are encrypted or salted with the device ID.
Worryingly the expiry in the plist is set to 1 Jan 4001!
This news is quite scary, especially for people who use the Facebook mobile app on their cell phone or tablet computer. Gareth later states in his post that Facebook is currently working on fixing this issue. I think news like this is alarming and it should serve as a reminder to people to think twice before publishing anything too personal online.