A rogue application or a USB connection can be used to steal the temporary credentials from mobile devices, according to a report by The Register. In the case of Apple’s iOS, the data could be obtained from a backup, enabling the hacker to attach to a Facebook account and access Facebook applications.
“That's according to Reg reader Gareth Wright, who stumbled across the file and tested it to see if it really was that easy to pretend to be someone else. Turns out it is, and after knocking out a proof of concept (a high-score editor for jailbroken iOS devices) which lifted ‘several thousand’ IDs, Gareth deleted the collected data and dutifully reported the matter to Facebook”, the report said.
Facebook, it turns out, was aware of the problem and working on a fix, although it couldn’t say when a fix might be ready.
“iOS games often store their high scores in plaintext, and rely on the OS for protection, and some are clearly storing Facebook-connection tokens in the same place. Those tokens are only valid for 60 days, but it turns out that the Facebook application itself stores a similar token – which lasts until the first of January 4001. Copy that token onto another device, and you're in”, the report added.
Comments
LilyN says:
10 April 2012
Thanks for the update Drew. Facebook also enables users to telesign in to their account as an extra layer of security. Even if they have a jail broken iphone or a modified OS AND their credentials have been stolen, Facebook provides 2-step authentication so their accounts would be protected. Everyone should take advantage of this feature even if they don't have a modified phone.
Drew Amorosi says:
06 April 2012
Facebook provided Infosecurity with the following statement regarding this article:
"Facebook's iOS and Android applications are only intended for use with the manufacture provided operating system, and access tokens are only vulnerable if they have modified their mobile OS (i.e. jailbroken iOS or modded Android) or have granted a malicious actor access to the physical device. We develop and test our application on an unmodified version of mobile operating systems and rely on the native protections as a foundation for development, deployment and security, all of which is compromised on a jailbroken device. As Apple states, "unauthorized modification of iOS could allow hackers to steal personal information ... or introduce malware or viruses." To protect themselves we recommend all users abstain from modifying their mobile OS to prevent any application instability or security issues."
Note: The majority of comments posted are created by members of the
public. The views expressed are theirs and unless specifically stated are not those
Elsevier Ltd. We are not responsible for any content posted by members of the public
or content of any third party sites that are accessible through this site. Any links
to third party websites from this website do not amount to any endorsement of that
site by the Elsevier Ltd and any use of that site by you is at your own risk. For
further information, please refer to our Terms & Conditions.
Comment on this article
You must be registered and logged in to leave a comment
about this article.