Facebook Security assured users on Thursday who access their Facebook
account via Android or iOS devices that mobile sessions on the social
networking site aren’t vulnerable to hacking. However, research
published this week suggests otherwise.
A blog entry posted by
UK-based mobile application developer Gareth Wright suggests that users
who have their mobile phones compromised may be subject to account
takeover attacks.
Writing on Tuesday, Wright identified an alleged problem in the social network’s plain text access token, ‘com.Facebook.plist.’ Wright
was able to take the unencrypted token, available in the application’s
directory, and copy it to a friend’s device. After his friend removed
his own token, he was able to see all of Wright’s personal Facebook
posts, messages and likes on his own phone without even logging in.
The
hole raises concern for anyone who may plug their phone into public
computers or modified public charging stations, putting their .plist
files in danger of being swiped by malware residing on those machines,
Wright said.
Attack
scenarios include a hidden application which runs in the background on
shared PCs and copies Plists from machines that are attached to it.
Alternatively, attackers could devise a tool for copying plists from
mobile devices that they had physical access to.
Wright’s findings prompted Facebook's security group to issue a statement Thursday
afternoon that claimed users accessing Facebook.com from an iOS or
Android were only vulnerable if using a jailbroken iOS or modded Android
device. The update insists that Facebook’s application is only for use
with its manufacture-provided operating system, and suggests that if a
“malicious actor” were granted access to the physical device, it could
be vulnerable.
However, Wright’s hack, which used the app iExplore
to browse iOS files, doesn’t require a jailbroken iPhone. Further
research from writers at TheNextWeb.com on Friday helped verify his findings and also found that file-syncing app Dropbox, which has been taking security heat of its own lately, also demonstrates the vulnerability.
In an interview with ZDNet, Wright claims Facebook “are aware and working on closing the hole.” yet it’s not known whether Dropbox are aware and taking action to fix the similar, purported vulnerability.
In
a statement, Dropbox said that the company's Android application was
not affected because it stores access tokens in a protected location.
"We are currently updating our iOS app to do the same. We note that the
attack in question requires a malicious actor to have physical access
to a user's device. In a situation like that, a user is susceptible to
all sorts of threats, so we strongly advise safeguarding devices," said
the statement from a Dropbox spokeswoman.
Facebook is reportedly working on a fix for the plist problem.
Courtesy Christoper
No comments:
Post a Comment