Facebook Plist Mobile Security Hole Allows Identity Theft [Updated]

 

I’ve made posts about various iOS games and the fact that developers, rather than encode add to keychain or save values in the binaries, choose to save those values in plain text plists.
The majority of traffic to this site is to the pages relating to using these oversights for cheating in iOS games, but high scores should be the least of their worries.
Whilst poking around in a few applications directories using the free tool iexplorer (previously iphone explorer), I stumbled into a plain text (plist) Facebook access token in the popular Draw Something by OMG POP.
That in itself isn’t strange but as Draw Something requests offline access to your account I copied the hash and tested a few FQL queries.
Sure enough I could pull back pretty much any information from my Facebook account.
As of the 1st of May 2012 these tokens run out after 60 days but aside from that a simple .net tool could easily snaffle this info and grab a fair whack of confirmed email addresses and marketing info.
Not good, but then I had to wonder what the Facebook app stored.
Popping into the Facebook application directory I quickly discovered a whole bunch of cached images and the com.Facebook.plist
What was contained within was shocking.

Not an access token but full oAuth key and secret in plain text. Surely though, these are encrypted or salted with the device ID…unfortunetly not.
Worryingly the expiry in the plist is set to 1 Jan 4001!

Quick export and call to my good friend and local blogger Scoopz and I sent over my plist for him to try out.
After backing up his own plist and logging out of Facebook he copied mine over to his device and opened the Facebook app…
My jaw dropped as over the next few minutes I watched posts appear on my wall, private messages sent, webpages liked and applications added.
Scoopz then opened Draw Something on his iPad which logged him straight into my account where he sent some pictures back to my friends.
Even after restoring his own plist he still gets notifications for my games.
Having installed my Plist on 4 different devices with no warning I contacted Facebook.

In an email response dated 29 March 2012 20:41:11 GMT+01:00 a representative of the Facebook security team confirmed that the issue had already been reported and:

“We are working to fix it.

Thanks for contacting Facebook,

Emrakul
Security
Facebook”
After contacting Facebook I took the liberty of knocking together a few proof of concepts.
1) A hidden application (malware) which runs on shared PC’s Any device plugged in to charge has the Plist copied
2) A recompile of an open source iphone explorer like program with the added code
3) A saved game editing tool with the added code
4) A credit card sized hardware solution that takes all of two seconds to copy the plist should you have physical access to an iDevice
5) A modified speaker dock
Over the course of a week over 1000 vulnerable plists were located and counted, though I hasten to add at no point was any data copied. (To clarify a 1000+ plists with open information re: facebook tokens or auth keys inc. 3rd party apps)
Facebook are aware and “working on” closing the hole, (why the haven’t used the keychain is anyones guess) but unless app developers follow suit and start encrypting the 60 day access token Facebook supplies, it’s only a matter of time before someone starts using the info for ill purpose…if they aren’t already.
Until Facebook plug the hole, I’ll be thinking twice about plugging my devices into a shared PC, public music docks or “charging stations”.

UPDATE

I’ve been told this also works on Android devices, though I’ve not had the opportunity to put that to the test yet.

Though given the programming oversight in the iOS app, it stands to reason the issue will translate to other platforms.

I feel I should reiterate, Facebook are playing this down and that’s fine, but saying it only effects stolen and jailbroken phones is not. 

The biggest risk is from malware and viruses designed to slurp data from devices plugged into PC’s, so despite what any other articles say; jailbroken or not you ARE vulnerable!

When tested this worked on locked passcoded unmodified iOS Devices (Passcoded devices exploitable if plugged into a computer a user has previously synced to OR if device is unlocked whilst still connected to a shared computer)

According to some articles Facebook say this isn’t really fixable, but they could at least add 2nd-tier authentication or at a minimum warn a user when another device has been used to access their account.

They do that for the web, why not mobile devices….

UPDATE:LinkedIn is also vulnerable

13 Comments