Security hole discovered that makes Facebook-linked apps vulnerable

6 Apr 2012

Share on FacebookTweet about this on TwitterShare on LinkedInShare on Google+Pin on PinterestShare on RedditEmail this to someone

Share on FacebookTweet about this on TwitterShare on LinkedInShare on Google+Pin on PinterestShare on RedditEmail this to someone

A UK web developer has discovered a security hole in the popular Facebook app for iOS devices that concerns a Facebook access token that allows Plists to be shared and copied to other devices and offer up information such as private messages, apps, pictures and game notifications.

Web designer and developer Gareth Wright has notified Facebook and the social network is working to close the hole.

Wright urges app developers to begin encrypting the 60-day access token that Facebook supplies before hackers get to work.

He warned that any device plugged into charge on a PC can copy the Plist.

Wright says he discovered the vulnerability while he was poking around various apps using iExplorer and came across a plain text Facebook access token in the popular Draw Something game by OMGPOP.

He copied the hash and tested a few FQL queries. "Sure enough, I could pull back pretty much any information from my Facebook account. As of the 1st of May 2012 these tokens run out after 60 days but aside from that a simple .Net tool could easily snaffle this info and grab a fair whack of confirmed email addresses and marketing info.

“Not good, but then I had to wonder what the Facebook app stored. Popping into the Facebook application directory I quickly discovered a whole bunch of cached images and the com.Facebook.plist.

“What was contained within was shocking. Not an access token but full oAuth key and secret in plain text. Surely though, these are encrypted or salted with the device ID. Worryingly, the expiry in the plist is set to 1 Jan 4001!"

Wright said he then sent the plist to a blogger pal to try out and he was able to copy the plist to his device and when he opened the Facebook app he was able to see all of Wright’s wall posts, private messages, webpages liked and apps added. He was also able to open Draw Something on his iPad and was able to log straight into Wright’s account.

“Until Facebook plugs the hole, I’ll be thinking twice about plugging my devices into a shared PC, public music docks or ‘charging stations,’" Wright concluded.

Editor John Kennedy is an award winning technology journalist.

editorial@siliconrepublic.com

You May Also Like

You May Also Like

GIFs now work on Facebook

GIFs now work on Facebook

29 May 2015 32 Shares

SUBSCRIBE TO OUR E-ZINE

  • Sign up to receive weekly alerts bringing the best of Siliconrepublic.com straight to your inbox.

More from Business

Latest News