Security hole discovered in Facebook, Dropbox apps for iOS, physical connection needed to exploit it (updated)
Date: Friday, April 6th, 2012, 07:26
Category: security, Software
You’re probably not going to like this.
According to security researcher Gareth Wright and The Next Web, a fairly prominent security hole has been discovered in the popular Facebook and Dropbox iOS apps. The good news is that someone would have to have physical access to your iPhone, and you’d have to allow them to plug it into their Mac, then allow them to do a bunch of business on your phone to grab a plain text file from inside these apps, then they’d have to go and do something malicious on your Facebook or Dropbox accounts.
Although many have reported jailbreak is required to access this hole, that is simply not true. A Mac app like iExplorer, which allows you to open app folders on an iPhone, will allow you to access the security hole.
According to The Unofficial Apple Weblog, it works like this: iOS apps use .plist files (aka property list files), to store all sorts of little things about an app. In this case, Dropbox and Facebook are using an unencrypted property list to apparently store both the oauth key and its secret counterpart.
By using iExplorer to find the right plist, that file can be copied and dropped into another device, which would then be able to access your account as though you had already logged in. Using a property list in this way leaves us scratching our heads.
Facebook issued a comment saying they will patch this soon and a representative with Dropbox offered the following comment:
“Dropbox’s Android app is not impacted because it stores access tokens in a protected location. We are currently updating our iOS app to do the same. We note that the attack in question requires a malicious actor to have physical access to a user’s device. In a situation like that, a user is susceptible to all sorts of threats, so we strongly advise safeguarding devices.”
Stay tuned for additional details as they become available.