Both Android and iOS users are susceptible to identity theft because of the vulnerability

Apr 6, 2012 09:09 GMT  ·  By

Security expert Gareth Wright identified a security hole in the iOS version of the Facebook app that could allow someone with ill intent to steal user credentials. After further analysis, the folks over at The Next Web determined that Dropbox also presents the vulnerability.

Furthermore, it has been found that not only the iOS applications are vulnerable, but also the ones developed for Android devices.

While navigating through application directories with a free tool called iExplorer, Wright discovered that the Facebook app for iOS devices stored some highly sensitive data in clear text.

“Popping into the Facebook application directory I quickly discovered a whole bunch of cached images and the com.Facebook.plist. What was contained within was shocking. Not an access token but full oAuth key and secret in plain text,” he wrote.

After analyzing his finds, he was able to determine that the .plist file, when transferred to another device, can be used to access the Facebook account associated with it.

Initially, Facebook representatives came forward to argue that the attack vector only works on rooted phones, but as it turns out, it works even on machines that haven’t been tampered with.

Now, many may think that this is one of those vulnerabilities where an attacker would need physical access to the device, but in reality, it’s far more complex than that.

Wright proved that if a malicious app is installed on a shared PC, a public docking station, or any other apparatus to which phones may be connected, the file could be retrieved.

With Dropbox it’s basically the same. The file-hosting service also uses the .plist file incorrectly, allowing anyone who gains access to it to breach the owner’s account.

Apparently, Facebook is working on addressing the problem, but the worrying thing is that if two popular apps handle these files in this manner, it’s likely that ones form other developers do the same.

So, until a more permanent fix is made available, think twice before connecting your iOS or Android phone to a public PC or docking station.

Note. My Twitter account has been erroneously suspended. While this is sorted out, you can contact me via my author profile or follow me at @EduardKovacs1