Apple's Beats brand in April unveiled the Powerbeats Pro, a redesigned wire-free version of its popular fitness-oriented Powerbeats earbuds.
Facebook and Dropbox Apps for iOS Vulnerable to Credential Theft
Earlier this week, Gareth Wright disclosed his recent work showing that Facebook's app for iOS contains a security vulnerability that could allow malicious users to access login credentials held in a .plist file associated with the app. Obtaining a copy of that .plist file could allow a malicious users to automatically login in to the affected user's account on another device. The flaw reportedly also exists on Android devices.
Wright first discovered the issue while using iExplorer to browse files on his iPhone, discovering that the Facebook .plist file maintains the full oAuth key and secret needed to access his account in plain text. Working with a friend, Wright was able to demonstrate that simply moving that .plist file to another device granted that device access to his Facebook account.
Facebook has issued a statement claiming that the issue only affects devices that have been jailbroken or lost, as it requires either installation of a custom app or physical access to the device. But as pointed out by Wright and confirmed by The Next Web, unmodified devices need not be lost in order to be targeted, as simply plugging in a device to a compromised computer or accessory would be sufficient to allow the data to be gathered.
Dropbox .plist file seen through iExplorer (Source: The Next Web)
Furthermore, The Next Web has confirmed that the same issue affects Dropbox for iOS, similarly allowing a user to simply copy the .plist file from one device to another in order to gain access to the account. Given that two high-profile apps are vulnerable to credential theft, it seems likely that other services are also affected by the same issue.
As multiple reports note, there is no evidence that this method of collecting login credentials is actively being used in a malicious manner, and users can protect themselves for the time being by not connecting their devices to public computers or charging stations.
Update: While Wright's initial post claims that the issue affects "locked passcoded unmodified iOS Devices" when connected to a PC set up to capture the .plist file, The Next Web has now updated its report to indicate that in its testing the technique does not work on devices protected with a passcode.
Wright first discovered the issue while using iExplorer to browse files on his iPhone, discovering that the Facebook .plist file maintains the full oAuth key and secret needed to access his account in plain text. Working with a friend, Wright was able to demonstrate that simply moving that .plist file to another device granted that device access to his Facebook account.
After backing up his own plist and logging out of Facebook he copied mine over to his device and opened the Facebook app…Wright outlines a number of different ways in which a malicious user could obtain the login credentials, including customized apps, hidden applications installed on public PCs, or hardware solutions such as a modified speaker dock that could siphon the data.
My jaw dropped as over the next few minutes I watched posts appear on my wall, private messages sent, webpages liked and applications added.
Scoopz then opened Draw Something on his iPad which logged him straight into my account where he sent some pictures back to my friends.
Facebook has issued a statement claiming that the issue only affects devices that have been jailbroken or lost, as it requires either installation of a custom app or physical access to the device. But as pointed out by Wright and confirmed by The Next Web, unmodified devices need not be lost in order to be targeted, as simply plugging in a device to a compromised computer or accessory would be sufficient to allow the data to be gathered.
Dropbox .plist file seen through iExplorer (Source: The Next Web)
Furthermore, The Next Web has confirmed that the same issue affects Dropbox for iOS, similarly allowing a user to simply copy the .plist file from one device to another in order to gain access to the account. Given that two high-profile apps are vulnerable to credential theft, it seems likely that other services are also affected by the same issue.
As multiple reports note, there is no evidence that this method of collecting login credentials is actively being used in a malicious manner, and users can protect themselves for the time being by not connecting their devices to public computers or charging stations.
Update: While Wright's initial post claims that the issue affects "locked passcoded unmodified iOS Devices" when connected to a PC set up to capture the .plist file, The Next Web has now updated its report to indicate that in its testing the technique does not work on devices protected with a passcode.
[ 71 comments ]
Top Rated Comments
(View all)
95 months ago
Sloppy programming. This sort of information should be stored in the Keychain!
95 months ago
This has been a good week for the Apple security team
What does the security of the Facebook and Dropbox Apps have to do with the Apple Security Team? This is about lazy developers, not utilizing stuff that is there.
95 months ago
Sloppy programming. This sort of information should be stored in Keychain!
Exactly. Apple makes it very clear that any sensitive information goes in the Keychain. It's not the easiest API in the iOS SDK, but anyone getting paid to write apps should be able to muscle through it.
The other thing that's obscene about the Facebook app for iOS is that it caches every element of every web page you visit with the app. Check your usage and Facebook could easily be gobbling multiple GB. Details on my blog: Facebook for iOS Pigs Out (http://www.subfurther.com/blog/2012/03/20/facebook-for-ios-pigs-out/)
95 months ago
I certainly hope these companies fix this ASAP. I don't use Facebook, so I'm alright there, but I do use Dropbox.
Agreed with someone above that this is sloppy programming. It still amazes me in this day that folks don't consider security when they create apps and such that require authentication.
Agreed with someone above that this is sloppy programming. It still amazes me in this day that folks don't consider security when they create apps and such that require authentication.
95 months ago
Passcode
A good reason to use the Passcode function with simple passcode turned off and erase data function on.
A good reason to use the Passcode function with simple passcode turned off and erase data function on.
95 months ago
Facebook
Apple engineers and even Geniuses in the retail stores will tell you (and rightfully) that Facebook is a poorly written application. Aside from the aforementioned issue, Facebook is a memory hog and one of the reasons for battery drain. Check your logs on your iPhone (Settings -> General -> About -> Diagnostics & Usage -> Diagnostics & Usage Data), you should find LowMemory and other logs related to Facebook. Closing the app in the multitasking bar should speed up your iOS device, especially for older devices, while cutting back on battery usage.
Apple has been on Facebook regarding this issue but to no avail. With Facebook's popularity they seem to have Apple by the nads.
Noticed a negative vote, don't understand why as the information I provided is based on evidence/fact and I hope would be beneficial to some. I wish MacRumors would disengage this silly negative voting system as it truly serves no purpose other than to inflame others. Positive votes for truly helpful posts seems more logical and would support a more mature site. :)
Apple engineers and even Geniuses in the retail stores will tell you (and rightfully) that Facebook is a poorly written application. Aside from the aforementioned issue, Facebook is a memory hog and one of the reasons for battery drain. Check your logs on your iPhone (Settings -> General -> About -> Diagnostics & Usage -> Diagnostics & Usage Data), you should find LowMemory and other logs related to Facebook. Closing the app in the multitasking bar should speed up your iOS device, especially for older devices, while cutting back on battery usage.
Apple has been on Facebook regarding this issue but to no avail. With Facebook's popularity they seem to have Apple by the nads.
Noticed a negative vote, don't understand why as the information I provided is based on evidence/fact and I hope would be beneficial to some. I wish MacRumors would disengage this silly negative voting system as it truly serves no purpose other than to inflame others. Positive votes for truly helpful posts seems more logical and would support a more mature site. :)
95 months ago
Every Facebook user should assume that their account can, will be and possibly already is hacked. The service is not secure. Facebook, as a company from the top down, does not believe in security and privacy anyway. Even unhacked, much of your data goes to every app that you connect to. Who knows what group is behind those apps when you connect initially. How about three years later? A failed Apps last asset before that company closes up shop is probably to sell their Facebook accounts. Some dorky game that you played five times three years ago might have changed hands a dozen times since you clicked on it. Every new entity buying that App got access to your account. Do you think Facebook is policing those entities?
The correct way to deal with this is to not have anything confidential or private on Facebook. It is designed for public consumption, which is fun and useful. It is not designed as a private storage site or private means of communication. All messages sent on Facebook should be considered public by the senders. Use it the right way, and don't worry about it being hacked anymore than someone looking up your name in the phone book.
Now Dropbox, that is another issue. That should be decently private. I suspect this will get fixed though.
The correct way to deal with this is to not have anything confidential or private on Facebook. It is designed for public consumption, which is fun and useful. It is not designed as a private storage site or private means of communication. All messages sent on Facebook should be considered public by the senders. Use it the right way, and don't worry about it being hacked anymore than someone looking up your name in the phone book.
Now Dropbox, that is another issue. That should be decently private. I suspect this will get fixed though.
95 months ago
Doesn't Apple approve all apps before they are offered on the AppStore? I don't know what goes in to "approving" an app, but it seems like proper handling of authentication data should be one of them.
95 months ago
Unfortunately, I have to agree with TallManNY. Facebook app has been the buggiest app I have on my iPhone. Even though it recently got better, I am not surprised that their developer team turned out really lazy about security.
Facebook's programmers are terrible, but the program was far worse on Android.
Visualize a shrunken down mobile interface, but stretched to massive Desktop-size in scale (lots of white space), or a program hard-coded to use GPS, even if your device doesn't have one (it meant instant crash on many tablets or other non-phones, and would translate to the same if the iOS version did that on an iPod touch or non-3G iPad), or programming so sloppy, they don't have any exception handling (the program doesn't know how to handle errors, so just hard-crashes any time something goes wrong).
They recently fixed the "require GPS" issue on Android, but I don't think they fixed the other stuff.
I've deleted Facebook off my iPhone and re-downloading it FAR more than any other program. It's the only way to fix when it loads to a white screen, when it shows empty Contact list, etc. The program simply self-corrupts somehow.
I don't know how a company with so many billions can't seem to find any decent iOS or Android programmers.
[ Read All Comments ]
Plex today announced a few updates for its Apple TV and iOS apps, adding notable new features that are worth highlighting.
The Apple TV app now supports HDR video playback, and Plex Pass...
The newest version of Spotify for iOS, released yesterday, quietly added support for Apple's multitasking Slide Over and Split View feature on the iPad.
As noted on Reddit and highlighted by...
Apple today seeded the fourth beta of watchOS 6, the software that runs on the Apple Watch. The new beta comes two weeks after the third beta and more than a month after Apple first unveiled the new...
Apple today seeded fourth beta of an upcoming tvOS 13 update to developers, two weeks after seeding the third beta and more than a month after unveiling the tvOS 13 software at the Worldwide...
Belkin today announced the launch of three new wireless chargers in its BOOST lineup, all of which will be available from Apple's online store and select Apple retail locations.
All of the...
Square Panda today announced that its phonics learning system for kids will now be sold at select Apple Stores and on Apple.com.
The Bluetooth-enabled, multisensory playset uses iPad apps to...
Google Maps this week expanded real-time bikesharing information to 23 additional cities in 16 countries around the world.
In addition to New York City, the feature is now available in...
In celebration of World Emoji Day today, the Unicode Consortium has announced the launch of a redesigned website aimed at making it easier for anyone to submit a proposal for a new emoji.
For...
