Is there a security hole in the Facebook app for iOS and Android that could allow an attacker to easily hijack your Facebook account?
Apparently there is, but only if your phone is jailbroken.
It was reported this morning that a U.K. based Android & iOS app developer, Gareth Wright discovered a rather serious security flaw within the native Facebook app that could potentially be used to hijack Facebook accounts.
The vulnerability stems from the fact that a user’s full oAuth credentials were stored in plain text in the Facebook app’s plist file, which houses a user’s settings and carries an expiration date of January 1st, 4001.
Wright made the discovery after rummaging through application directories using a free iExplorer tool (often used to easily browse through iOS files) and finding that the popular Draw Something game by OMG POP held a Facebook access token, also kept in plain text.
Curiosity then drove him to copy the hash and run a few FQL (Facebook Query Language) queries, which allowed him to pull “pretty much any information” from his Facebook account.
From there, he couldn’t resist knowing what the Facebook app stored and browsed through the Facebook application directories until he found the unencrypted authorization credentials tucked away in the plist file.
Of course, should an attacker get their grubby paws on a user’s Facebook token, they can hijack that user’s account by plugging it into their Facebook app and firing up, as Wright witnessed first-hand when he shot his own .plist file over to his friend and watched as said friend posted updates to his Facebook Wall, sent some private messages, liked a few random pages and installed an application or two.
However, there was a single piece of information that Wright didn’t mention in his Tuesday post: he was using a jailbroken iPhone.
According to an offical statement posted on the official Facebook Security page, the access token is only vulnerable on jailbroken phones:
We have noticed several articles claiming your Facebook account is at risk if you use Facebook for iOS or Android. This is NOT true.
Facebook’s iOS and Android applications are only intended for use with the manufacture provided operating system, and access tokens are only vulnerable if users have modified their mobile OS (i.e. jailbroken iOS or modded Android) or have granted a malicious actor access to the physical device. To protect yourself we recommend all users abstain from modifying their mobile OS to prevent any application instability or security issues.
So, if you’re running the Facebook app on an unaltered iPhone or Android device, there’s no reason to worry.
But if you ARE using a jailbroken device, take heed to Wright’s warnings and think twice before hooking your iPhone up to a stranger’s speaker dock or USB cable. Oh, and make sure you have a way to remotely wipe your device should it ever end up stolen.