Security hole discovered that makes Facebook-linked apps vulnerable

6 Apr 2012

A UK web developer has discovered a security hole in the popular Facebook app for iOS devices that concerns a Facebook access token that allows Plists to be shared and copied to other devices and offer up information such as private messages, apps, pictures and game notifications.

Web designer and developer Gareth Wright has notified Facebook and the social network is working to close the hole.

Wright urges app developers to begin encrypting the 60-day access token that Facebook supplies before hackers get to work.

He warned that any device plugged into charge on a PC can copy the Plist.

Wright says he discovered the vulnerability while he was poking around various apps using iExplorer and came across a plain text Facebook access token in the popular Draw Something game by OMGPOP.

He copied the hash and tested a few FQL queries. “Sure enough, I could pull back pretty much any information from my Facebook account. As of the 1st of May 2012 these tokens run out after 60 days but aside from that a simple .Net tool could easily snaffle this info and grab a fair whack of confirmed email addresses and marketing info.

“Not good, but then I had to wonder what the Facebook app stored. Popping into the Facebook application directory I quickly discovered a whole bunch of cached images and the com.Facebook.plist.

“What was contained within was shocking. Not an access token but full oAuth key and secret in plain text. Surely though, these are encrypted or salted with the device ID. Worryingly, the expiry in the plist is set to 1 Jan 4001!”

Wright said he then sent the plist to a blogger pal to try out and he was able to copy the plist to his device and when he opened the Facebook app he was able to see all of Wright’s wall posts, private messages, webpages liked and apps added. He was also able to open Draw Something on his iPad and was able to log straight into Wright’s account.

“Until Facebook plugs the hole, I’ll be thinking twice about plugging my devices into a shared PC, public music docks or ‘charging stations,'” Wright concluded.

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years