Sophos Cloud Optix
It’s not really news to discover that developers who write games for Apple devices running iOS – namely the iPhone, iPad and iPod Touch – have tended to save user settings in plain, unencrypted text.
The idea of somebody tinkering with those text files is worrisome to those who fret about cheating in iPhone or iPad games, but few have worried about the seriousness of the data leaking out.
Until now that is.
Developer Gareth Wright recently found that, as he posted on Tuesday, “high scores should be the least of [users’] worries.”
Namely, the lack of encryption on both Facebook’s iOS and Android clients leaves them “languishing in a folder accessible to other apps or USB connections,” as The Register reports.
When poking around in application directories with the iExplorer tool (previously iPhone Explorer, a freeware program for the Mac and PC that lets you browse files on your iPhone or iPad like a flash drive), Wright found a plain text Facebook access token in the popular Draw Something game.
When Wright copied the hash and tried a few Facebook Query Language (FQL) queries, he found that he could pull back “pretty much any information” from his own Facebook account.
Looking into his Facebook application directory, Wright found cached images and the com.Facebook.plist (a .plist being the extension used for a property list file, often used to store a user’s settings).
He didn’t just find an access token – rather, he found the full authorisation credentials in plain text.
iOS games often store high scores in plaintext and rely on the OS for protection. But some also store Facebook-connection tokens in the same place.
While such tokens are only valid for 60 days, Facebook itself stores a similar token that lasts until 1 Jan 4001.
A hacker who copies that token onto another device can get into users’ Facebook accounts until the cows come home. Heck, if you wait until 4001, the cows will likely have mutated and evolved into space explorers.
Wright sent the plist over to his friend and blogger, Scoopz. Within minutes, he watched as his Facebook account was hijacked. Here’s how he tells it:
"After backing up his own plist and logging out of Facebook [Scoopz] copied mine over to his device and opened the Facebook app..."
"My jaw dropped as over the next few minutes I watched posts appear on my wall, private messages sent, webpages liked and applications added."
"Scoopz then opened Draw Something on his iPad which logged him straight into my account where he sent some pictures back to my friends."
"Even after restoring his own plist he still gets notifications for my games."
As The Register’s Bill Ray notes, all that’s needed to get somebody’s Facebook temporary login credentials are “a rogue application or two minutes with a USB connection.” The situation is exacerbated by Facebook’s liberal definition of “temporary” being “that which lasts until the year 4001.”
With iOS, you can even lift data from a backup, which would let a hacker get away with all sorts of Facebook hijinx.
Wright concocted five proofs of concept that netted him over 1,000 Facebook IDs. He deleted the data without copying it, no harm done, and gave Facebook a head’s-up about the matter.
It’s a similar story on Google’s Android platform – which is more open than Apple iOS, and relies upon the developer to make a sensible decision as to whether the sensitive data is stored safely or not.
Facebook is working on closing the hole. In the meantime, developers should do the same, Wright says:
"Unless app developers follow suit and start encrypting the 60-day access token Facebook supplies, it's only a matter of time before someone starts using the info for ill purpose... if they aren't already."
Wright’s proofs of concept include a modified speaker dock, a game-editing tool with a bit of added code, and a piece of hardware the size of a credit card that can copy a device’s plist in a matter of seconds.
Given that the vulnerability can be exploited with hardware and physical access, Wright says he’ll be thinking twice about plugging his devices into shared PCs, public music docks or charging stations.
Sounds like good advice for the rest of us.
See…I’ve been saying it all along; ”Facebook” and “mutant space cows” go hand in hand. That’s precisely why I deleted my Facebook account.
Could you rewrite this in lay mans terms ….I mean how many users really understand what you seem to be so earnestly trying to warn people about ,I read the whole article and graduated from college and still trying to understand this article ….?
Sorry about that. Basically, as FB has informed me just now (see the statement from FB; I pasted it in full below), it's only jailbroken gadgets at risk. Your FB credentials can be swiped, and your account can be hijacked, but as I understand it, the risk comes from physical access and hardware. So watch where you stick that thing. Hence Wright's list of hardware he'll avoid: shared PCs, public music docks or charging stations.
So, I'm just a regular gal with an iPad. Do I just avoid public wifi? 3G? Or do I have to physically connect to another device to get in trouble?
I just posted FB's comment below, in reply to another commenter, but here's the bit where they tell you how to stay safe. Basically, don't jailbreak:
"To protect themselves we recommend all users abstain from modifying their mobile OS to prevent any application instability or security issues."
Is this an iOS problem or a Facebook responsibility to fix?
I believe that Facebook's working on a fix—at least, that's what The Register and Wright said, though a FB spokesperson didn't mention it in this statement they just sent over:
"Facebook's iOS and Android applications are only intended for use with the manufacture provided operating system, and access tokens are only vulnerable if they have modified their mobile OS (i.e. jailbroken iOS or modded Android) or have granted a malicious actor access to the physical device. We develop and test our application on an unmodified version of mobile operating systems and rely on the native protections as a foundation for development, deployment and security, all of which is compromised on a jailbroken device. As Apple states, "unauthorized modification of iOS could allow hackers to steal personal information … or introduce malware or viruses." To protect themselves we recommend all users abstain from modifying their mobile OS to prevent any application instability or security issues."
Great, so what are we supposed to do about it??
FB says it's only jailbroken devices at risk (they just sent over a statement with the jailbroken bit; I pasted it in full, above). Avoid plugging in to shared PCs, public music docks or charging stations if you have a jailbroken device.
Jailbroken *or* someone has physical access to your iPhone (and plugs it in via USB etc)
a PC virus etc can also swipe the details.
Just log out of the Facebook app and use the web app for now
What is a jail broken bit? Sorry to be thick!
Only jail break vulnerabilities on iPhone … nonsense.
Very very very scary. Facebook & Google tend to lack the security that most small companies have on lock.
Another good reason to use a Windows based phone instead of Android, etc.
Facebook really doesn't care about its site being exploited, and your data along with it.
Otherwise they would check these third party apps before letting them run and giving
them access to your data.
An excellent reason to delete every speck of data you can on Facebook, before closing
your acount entirely ASAP.
Because Windows based technology is notoriously safe and impenetrable?
Do not forget that Facebook Mobile is also unable to make https connections. This mean that I can connect to a public wifi with a packet sniffer and just wait for people to log into Facebook and easily gain their login credentials.