Facebook Reassures Users, But Hole May Put Mobile Data at Risk

Posted on April 9, 2012 by pawaskar

Facebook Reassures Users, But Hole May Put Mobile Data at Risk
by Christopher Brook

UPDATED: Facebook Security assured users on Thursday who access their Facebook account via Android or iOS devices that mobile sessions on the social networking site aren’t vulnerable to hacking. However, research published this week suggests otherwise.

A blog entry posted by UK-based mobile application developer Gareth Wright suggests that users who have their mobile phones compromised may be subject to account takeover attacks.

Writing on Tuesday, Wright identified an alleged problem in the social network’s plain text access token, ‘com.Facebook.plist.’ Wright was able to take the unencrypted token, available in the application’s directory, and copy it to a friend’s device. After his friend removed his own token, he was able to see all of Wright’s personal Facebook posts, messages and likes on his own phone without even logging in.

The hole raises concern for anyone who may plug their phone into public computers or modified public charging stations, putting their .plist files in danger of being swiped by malware residing on those machines, Wright said.

Attack scenarios include a hidden application which runs in the background on shared PCs and copies Plists from machines that are attached to it. Alternatively, attackers could devise a tool for copying plists from mobile devices that they had physical access to.

Wright’s findings prompted Facebook’s security group to issue a statement Thursday afternoon that claimed users accessing Facebook.com from an iOS or Android were only vulnerable if using a jailbroken iOS or modded Android device. The update insists that Facebook’s application is only for use with its manufacture-provided operating system, and suggests that if a “malicious actor” were granted access to the physical device, it could be vulnerable.

However, Wright’s hack, which used the app iExplore to browse iOS files, doesn’t require a jailbroken iPhone. Further research from writers at TheNextWeb.com on Friday helped verify his findings and also found that file-syncing app Dropbox, which has been taking security heat of its own lately, also demonstrates the vulnerability.

In an interview with ZDNet, Wright claims Facebook “are aware and working on closing the hole.”

In a statement, Dropbox said that the company’s Android application was not affected because it stores access tokens in a protected location. “We are currently updating our iOS app to do the same. We note that the attack in question requires a malicious actor to have physical access to a user’s device. In a situation like that, a user is susceptible to all sorts of threats, so we strongly advise safeguarding devices,” said the statement from a Dropbox spokeswoman.

Facebook is reportedly working on a fix for the plist problem.

About pawaskar

Strategist, change leader and driving force behind security improvements that safeguard data, ensure compliance, and facilitate informed advancements towards organizational goals. Expert at leveraging existing resources to bring effective, actionable security and risk management vision to complex enterprises with minimal budget. Define and execute improvements in process, internal controls and IT infrastructure with measurable, positive results. Engineer simple-but-powerful, cost-effective solutions. Deep understanding of compliance and auditing principles. Strong consensus builder, forming cooperative relationships across internal / external stakeholders and suppliers that contribute to the success of project.
This entry was posted in Data Breaches, Data Privacy, Information Security, Mobile Threats, Social Media, Threats and tagged , , , , , . Bookmark the permalink.

1 Response to Facebook Reassures Users, But Hole May Put Mobile Data at Risk

  1. like on facebook says:
    April 18, 2012 at 1:21 pm

    Good day very nice web site!! Man .. Excellent .. Wonderful .. I’ll bookmark your website and take the feeds also?I am happy to find numerous useful information right here in the submit, we need develop extra techniques on this regard, thank you for sharing. . . . . .

    Reply

Leave a comment