Share

Related Stories

Top 5 Stories

News

Facebook logins vulnerable on Apple and Android devices

05 April 2012

Facebook login credentials are easily obtained from Apple and Android mobile devices because they are not encrypted and left in a temporary folder accessible to other applications or USB connections.

A rogue application or a USB connection can be used to steal the temporary credentials from mobile devices, according to a report by The Register. In the case of Apple’s iOS, the data could be obtained from a backup, enabling the hacker to attach to a Facebook account and access Facebook applications.

“That's according to Reg reader Gareth Wright, who stumbled across the file and tested it to see if it really was that easy to pretend to be someone else. Turns out it is, and after knocking out a proof of concept (a high-score editor for jailbroken iOS devices) which lifted ‘several thousand’ IDs, Gareth deleted the collected data and dutifully reported the matter to Facebook”, the report said.

Facebook, it turns out, was aware of the problem and working on a fix, although it couldn’t say when a fix might be ready.

“iOS games often store their high scores in plaintext, and rely on the OS for protection, and some are clearly storing Facebook-connection tokens in the same place. Those tokens are only valid for 60 days, but it turns out that the Facebook application itself stores a similar token – which lasts until the first of January 4001. Copy that token onto another device, and you're in”, the report added.
 

This article is featured in:
Application Security  •  Data Loss  •  Wireless and Mobile Security

 

Comments

LilyN says:

10 April 2012
Thanks for the update Drew. Facebook also enables users to telesign in to their account as an extra layer of security. Even if they have a jail broken iphone or a modified OS AND their credentials have been stolen, Facebook provides 2-step authentication so their accounts would be protected. Everyone should take advantage of this feature even if they don't have a modified phone.

Drew Amorosi says:

06 April 2012
Facebook provided Infosecurity with the following statement regarding this article:

"Facebook's iOS and Android applications are only intended for use with the manufacture provided operating system, and access tokens are only vulnerable if they have modified their mobile OS (i.e. jailbroken iOS or modded Android) or have granted a malicious actor access to the physical device. We develop and test our application on an unmodified version of mobile operating systems and rely on the native protections as a foundation for development, deployment and security, all of which is compromised on a jailbroken device. As Apple states, "unauthorized modification of iOS could allow hackers to steal personal information ... or introduce malware or viruses." To protect themselves we recommend all users abstain from modifying their mobile OS to prevent any application instability or security issues."

Note: The majority of comments posted are created by members of the public. The views expressed are theirs and unless specifically stated are not those Elsevier Ltd. We are not responsible for any content posted by members of the public or content of any third party sites that are accessible through this site. Any links to third party websites from this website do not amount to any endorsement of that site by the Elsevier Ltd and any use of that site by you is at your own risk. For further information, please refer to our Terms & Conditions.

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×