Facebook and Dropbox Apps for iOS Vulnerable to Credential Theft

Earlier this week, Gareth Wright disclosed his recent work showing that Facebook's app for iOS contains a security vulnerability that could allow malicious users to access login credentials held in a .plist file associated with the app. Obtaining a copy of that .plist file could allow a malicious users to automatically login in to the affected user's account on another device. The flaw reportedly also exists on Android devices.

Wright first discovered the issue while using iExplorer to browse files on his iPhone, discovering that the Facebook .plist file maintains the full oAuth key and secret needed to access his account in plain text. Working with a friend, Wright was able to demonstrate that simply moving that .plist file to another device granted that device access to his Facebook account.

After backing up his own plist and logging out of Facebook he copied mine over to his device and opened the Facebook app…

My jaw dropped as over the next few minutes I watched posts appear on my wall, private messages sent, webpages liked and applications added.

Scoopz then opened Draw Something on his iPad which logged him straight into my account where he sent some pictures back to my friends.

Wright outlines a number of different ways in which a malicious user could obtain the login credentials, including customized apps, hidden applications installed on public PCs, or hardware solutions such as a modified speaker dock that could siphon the data.

Facebook has issued a statement claiming that the issue only affects devices that have been jailbroken or lost, as it requires either installation of a custom app or physical access to the device. But as pointed out by Wright and confirmed by The Next Web, unmodified devices need not be lost in order to be targeted, as simply plugging in a device to a compromised computer or accessory would be sufficient to allow the data to be gathered.

ios dropbox plist
Dropbox .plist file seen through iExplorer (Source: The Next Web)

Furthermore, The Next Web has confirmed that the same issue affects Dropbox for iOS, similarly allowing a user to simply copy the .plist file from one device to another in order to gain access to the account. Given that two high-profile apps are vulnerable to credential theft, it seems likely that other services are also affected by the same issue.

As multiple reports note, there is no evidence that this method of collecting login credentials is actively being used in a malicious manner, and users can protect themselves for the time being by not connecting their devices to public computers or charging stations.

Update: While Wright's initial post claims that the issue affects "locked passcoded unmodified iOS Devices" when connected to a PC set up to capture the .plist file, The Next Web has now updated its report to indicate that in its testing the technique does not work on devices protected with a passcode.

Top Rated Comments

amarcus Avatar
137 months ago
Sloppy programming. This sort of information should be stored in the Keychain!
Score: 12 Votes (Like | Disagree)
bse3 Avatar
137 months ago
This has been a good week for the Apple security team

What does the security of the Facebook and Dropbox Apps have to do with the Apple Security Team? This is about lazy developers, not utilizing stuff that is there.
Score: 9 Votes (Like | Disagree)
Asclepio Avatar
137 months ago
Score: 6 Votes (Like | Disagree)
invalidname Avatar
137 months ago
Sloppy programming. This sort of information should be stored in Keychain!

Exactly. Apple makes it very clear that any sensitive information goes in the Keychain. It's not the easiest API in the iOS SDK, but anyone getting paid to write apps should be able to muscle through it.

The other thing that's obscene about the Facebook app for iOS is that it caches every element of every web page you visit with the app. Check your usage and Facebook could easily be gobbling multiple GB. Details on my blog: Facebook for iOS Pigs Out (http://www.subfurther.com/blog/2012/03/20/facebook-for-ios-pigs-out/)
Score: 6 Votes (Like | Disagree)
SandboxGeneral Avatar
137 months ago
I certainly hope these companies fix this ASAP. I don't use Facebook, so I'm alright there, but I do use Dropbox.

Agreed with someone above that this is sloppy programming. It still amazes me in this day that folks don't consider security when they create apps and such that require authentication.
Score: 6 Votes (Like | Disagree)
TallManNY Avatar
137 months ago
Every Facebook user should assume that their account can, will be and possibly already is hacked. The service is not secure. Facebook, as a company from the top down, does not believe in security and privacy anyway. Even unhacked, much of your data goes to every app that you connect to. Who knows what group is behind those apps when you connect initially. How about three years later? A failed Apps last asset before that company closes up shop is probably to sell their Facebook accounts. Some dorky game that you played five times three years ago might have changed hands a dozen times since you clicked on it. Every new entity buying that App got access to your account. Do you think Facebook is policing those entities?

The correct way to deal with this is to not have anything confidential or private on Facebook. It is designed for public consumption, which is fun and useful. It is not designed as a private storage site or private means of communication. All messages sent on Facebook should be considered public by the senders. Use it the right way, and don't worry about it being hacked anymore than someone looking up your name in the phone book.

Now Dropbox, that is another issue. That should be decently private. I suspect this will get fixed though.
Score: 5 Votes (Like | Disagree)

Popular Stories

iphone 14 pro max vs 13 max 2

Camera Comparison: iPhone 14 Pro Max vs. iPhone 13 Pro Max

Thursday September 29, 2022 7:44 am PDT by
The iPhone 14 Pro and Pro Max introduce some major improvements in camera technology, adding a 48-megapixel lens and low-light improvements across all lenses with the new Photonic Engine. We've spent the last week working on an in-depth comparison that pits the new iPhone 14 Pro Max against the prior-generation iPhone 13 Pro Max to see just how much better the iPhone 14 Pro Max can be. Subscrib ...
maxresdefault

Apple Responds to Video Testing Crash Detection Feature With Junkyard Vehicles

Friday September 30, 2022 9:11 am PDT by
The Wall Street Journal's Joanna Stern recently traveled to Michigan to test Apple's new crash detection feature on the iPhone 14 and Apple Watch Ultra. In response, Apple provided some additional information about how the feature works. Stern recruited Michael Barabe to crash his demolition derby car with a heavy-duty steel frame into two unoccupied vehicles parked in a junkyard — a 2003...
iphone 14 iphone 14 plus in hand feature

iPhone 14 Is Secretly Hiding a Beloved Mac Feature

Friday September 30, 2022 3:24 am PDT by
The iPhone 14 and iPhone 14 Pro models bring over a longstanding Mac feature, but the setting to enable it is off by default. The feature, which is actually a new accessibility option, allows the iPhone to play a startup chime like the Mac. When enabled, the sound comes alongside a new shutdown chime. The Mac has featured a startup chime since 1987's Macintosh II, and the iconic "bong"...
adaptive transparency airpods pro

iOS 16.1 Beta Brings Adaptive Transparency to Original AirPods Pro

Thursday September 29, 2022 1:08 pm PDT by
The third beta of iOS 16.1 that was released earlier this week expands the Adaptive Transparency feature introduced with the second-generation AirPods Pro to the original AirPods Pro. As noted on Reddit, first-generation AirPods Pro owners who also have the AirPods beta software will now see an "Adaptive Transparency" toggle in the AirPods section of the Settings app. The 5A304A beta...
iOS 16 Wallpaper Spectrum Feature

Five Wallpaper Apps to Check Out for iOS 16's New Lock Screen Depth Effect

Thursday September 29, 2022 9:08 am PDT by
One of the biggest new features in iOS 16 is a completely redesigned iPhone Lock Screen. The new Lock Screen is entirely customizable, letting you change the colors and fonts, add widgets and new wallpapers, and more to make your iPhone uniquely yours. Of course, even before iOS 16, you could customize your Lock Screen with a wallpaper of your choice. iOS 16 takes the Lock Screen wallpaper...
tony blevins car

Apple Procurement VP Departs Company After Vulgar TikTok Comment

Thursday September 29, 2022 12:38 pm PDT by
Tony Blevins, Apple's vice president of procurement, is set to depart the company after he made a crude comment about his profession in a recent TikTok video, reports Bloomberg. Blevins was in a video by TikTok creator Daniel Mac, who was doing a series on the jobs of people he spotted with expensive cars. After seeing Blevins in an expensive Mercedes-Benz SLR McLaren, Mac asked Blevins what ...
tim cook malala

Tim Cook: Not Too Long From Now, You'll Wonder How You Led Your Life Without AR

Thursday September 29, 2022 7:26 am PDT by
Speaking at Università Degli Studi di Napoli Federico II in Naples, Italy, Apple CEO Tim Cook said that not too long from today, people will wonder how they led a life without augmented reality, stressing the "profound" impact it will have on the not so distant future. At the university, Cook was awarded an Honorary Degree in Innovation and International Management and also sat down for a...
Hero0005

Best Apple Deals of the Week: M2 MacBook Air Hits New All-Time Low Price at $1,049, Plus Sales on AirPods Pro and More

Friday September 30, 2022 9:05 am PDT by
This week's best Apple deals focus on the AirPods Pro, AirPods Pro 2, and M2 MacBook Air, including numerous all-time low prices on these devices. You'll also find up to 50 percent off discounts on Anker and Eufy accessories on Amazon. Note: MacRumors is an affiliate partner with some of these vendors. When you click a link and make a purchase, we may receive a small payment, which helps us...
zuckerberg metaverse

Apple CEO Tim Cook: 'I'm Not Really Sure the Average Person Can Tell You What the Metaverse Is'

Friday September 30, 2022 12:51 pm PDT by
Apple CEO Tim Cook has been touring Europe this week, sitting down for interviews with various media publications. Augmented reality has been a running theme in Cook's discussions, and it is a topic he brought up again in an interview with Dutch publication Bright, which is part of RTL News. "I think AR is a profound technology that will affect everything," Cook said, echoing comments from...
ipad pro m1 feature

Gurman: Apple Event This October Remains Unlikely, No Touch ID for iPhone 15

Sunday October 2, 2022 6:41 am PDT by
Apple is developing new iPad Pro, Mac, and Apple TV models, and at least some of these products will be released in October, according to Bloomberg's Mark Gurman. However, Gurman continues to believe that Apple is unlikely to hold an event this month. In the latest edition of his Power On newsletter, Gurman said "the big iPhone 14 unveiling last month was probably it for Apple in 2022 in...