Security researcher Gareth Wright "stumbled into" a way to make one iOS or Android device think it's logged into the Facebook account of another. Apparently, the method also works with Dropbox, The Next Web reports. By simply copying a "plist" from your iOS or Android device and pasting it into the same directory on another device (using a free Mac app like iExplorer), anyone can easily make Facebook and Dropbox (and presumably some other apps) think they are you. It's that easy. Facebook released a statement on the matter:
Facebook's iOS and Android applications are only intended for use with the manufacture provided operating system, and access tokens are only vulnerable if they have modified their mobile OS (i.e. jailbroken iOS or modded Android) or have granted a malicious actor access to the physical device. We develop and test our application on an unmodified version of mobile operating systems and rely on the native protections as a foundation for development, deployment and security, all of which is compromised on a jailbroken device. As Apple states, "unauthorized modification of iOS could allow hackers to steal personal information ... or introduce malware or viruses." To protect themselves we recommend all users abstain from modifying their mobile OS to prevent any application instability or security issues.
While Facebook's statement seems to imply that you may need to be running a jailbroken or rooted device for this to happen, this is not the case. Even if your iOS device is not jailbroken and has a passcode on it, your access token and OAuth key are available, which means anyone who copies these files to their device can get into your Facebook account, as well as any apps (like DrawSomething) that makes use of your onboard Facebook credentials.
So, if a person with malicious intent gains access to your device, Facebook admits that they will be able to swipe your access tokens. How? Because Facebook stores these tokens in an unencrypted plain text file. While a scenario where a thief scrambles for your Facebook tokens before they check out your emails, contacts, and bank account information is unlikely, the hack still exists. The Next Web's Matthew Panzarino reproduced Wright's experiment successfully using plists located inside both Facebook and Dropbox, and points out that even if you haven't lost your phone, you might still potentially be in danger:
If a program was running on a public computer, or if someone had modified a public charging station to siphon off the plain-text .plist file, they could theoretically gain access to that information, whether you're jailbroken or not.
While either of those situations seem unlikely, Wright isn't as convinced. He said to Ars Technica:
The scenario is something that happens a lot at universities and workplaces as users charge their devices.
Wright told ZDnet that Facebook is currently working on a fix, but as always, a simple remote wipe will alleviate any concerns of losing your data if your device is stolen. He offers one final word of warning on his website:
The biggest risk is from malware and viruses designed to slurp data from devices plugged into PC's, so despite what any other articles say; jailbroken or not you ARE vulnerable!
For now, keep your eyes peeled for suspicious looking charging stations.
Update: Dropbox has released a statement on the matter:
Dropbox's Android app is not impacted because it stores access tokens in a protected location. We are currently updating our iOS app to do the same. We note that the attack in question requires a malicious actor to have physical access to a user's device. In a situation like that, a user is susceptible to all sorts of threats, so we strongly advise safeguarding devices.