A security hole affects more mobile devices than previously reported, enabling theft of identity and other data from Facebook profiles.
Facebook had claimed that this security hole only affected devices that had their operating systems modified, or jailbroken. That assertion is false, as the vulnerability includes all Android and Apple gizmos.
The security hole was initially discovered by security researcher Gareth Wright, who used iExplorer, a free application that allows users to browse files on their iPhones or iPads as if they were storage devices.
He discovered a plain text Facebook access token — an encapsulation of a user’s identity and personal information — in Omgpop’s Draw Something mobile game.
After copying the access token and testing it with Facebook Query Language, he was able to access “pretty much any information” from his Facebook account.
He then accessed the directory for the Facebook app with iExplorer and accessed the com.Facebook.plist file, finding his login information in plain text. Wright sent the plist file to a local blogger he is friendly with, and the blogger was able to access his Facebook account and perform activities such as posting to his wall, liking pages, sending private messages, adding apps, and sending pictures via Draw Something.
Wright installed the plist file on four other devices and the results were the same, so he contacted Facebook, which initially responded that the problem had already been reported and was being worked on.
He then tested the plist issue with several devices that would typically be used to illegally obtain user information, and Wright was able to collect more than 1,000 plist files in one week (he did not copy any of the data).
Facebook issued a long statement, blaming devices that were jailbroken, or modified, for the security hole:
Facebook’s iOS and Android applications are only intended for use with the manufacturer-provided operating system, and access tokens are only vulnerable if they have modified their mobile OS (i.e. jailbroken iOS or modded Android), or have granted a malicious actor access to the physical device.
We develop and test our application on an unmodified version of mobile operating systems and rely on the native protections as a foundation for development, deployment, and security, all of which is compromised on a jailbroken device. As Apple states, “Unauthorized modification of iOS could allow hackers to steal personal information … or introduce malware or viruses.”
To protect themselves, we recommend that all users abstain from modifying their mobile OS to prevent any application instability or security issues.
End of story? Not quite. Wright and The Next Web were both able to duplicate the security hole on devices that were not jailbroken or modified.
I feel I should reiterate Facebook is playing this down and that’s fine, but saying it only affects stolen and jailbroken phones is not.
The biggest risk is from malware and viruses designed to slurp data from devices plugged into PCs, so despite what any other articles say, jailbroken or not, you are vulnerable.
When tested, this worked on locked, pass-coded, unmodified iOS devices.
The Next Web also shared its experiences:
As a matter of fact, we have duplicated the Facebook hack here at TNW labs (using our own devices) and it works perfectly well without a jailbreak.
If you read the Facebook statement carefully, however, it does cover its bases when it states that you are vulnerable if you have “granted a malicious actor access to the physical device.” That is absolutely true — your device would need to be accessed physically somehow, but it doesn’t mean that it would need to be stolen or that another person would even need to touch it.
Readers: Have you encountered any similar mobile security issues with Facebook for the iPhone, iPad, or Android?
Image courtesy of Shutterstock.