I have written about iOS games and how some developers choose to store values in plain text plists rather than using the keychain. The traffic to those pages is high. Scores are not the real risk.
While browsing app directories using the free tool iExplorer, I found a plain text Facebook access token inside Draw Something by OMG POP. Draw Something requests offline access. I copied the token and ran a few FQL queries. I could retrieve a lot of information from my account.
From 1 May 2012 these tokens expire after sixty days. A simple .NET tool could still harvest a large set of confirmed email addresses and marketing data. That raised a bigger question. What does the Facebook app store.
Inside the Facebook application directory I found cached images and a file named com.Facebook.plist. The contents were worse than expected.
Not an access token. A full OAuth key and secret in plain text. No device based protection. The expiry in the plist was set to 1 Jan 4001.
I exported my plist and called my friend and local blogger Scoopz. After backing up his own plist and logging out of Facebook he copied mine to his device and opened the app.
Over the next few minutes posts appeared on my wall, private messages were sent, pages were liked, and applications were added. Scoopz then opened Draw Something on his iPad which logged him straight into my account and he sent pictures to my friends. Even after restoring his own plist he continued to receive my game notifications. I repeated this on four devices without any warning. I contacted Facebook.
In an email at 20:41 on 29 March 2012 the Facebook security team replied that the issue had already been reported and they were working to fix it.
After contacting Facebook I built a few proof of concepts.
- A hidden app that copies the plist from any device plugged into a shared PC while charging
- A recompiled iPhone explorer type tool with the extra copy routine
- A saved game editor with the same routine
- A small hardware device that copies the plist in seconds if you have physical access
- A modified speaker dock that performs the same copy
Over a week I located more than one thousand vulnerable plists. I did not copy any private data. This count covered Facebook tokens or auth keys in third party apps.
Facebook are aware and say they are working on a fix. Developers should store tokens in the keychain. If this continues it is only a matter of time before someone abuses these tokens.
Until there is a fix, avoid plugging devices into shared PCs, public docks, or charging stations.
Update
I have been told this also works on some Android devices, I have not tested this fully. Given the oversight in the iOS app it likely translates to other platforms.
Facebook are playing this down. This is not only about stolen or jailbroken phones. The biggest risk is malware that slurps data from devices connected to a PC. Passcode status does not remove the risk if the device has been paired with that computer.
Facebook could add second factor prompts or warn when another device uses a mobile token. The web version has similar checks. Mobile should have them as well.