Facebook and Dropbox Apps for iOS Vulnerable to Credential Theft

by

Earlier this week, Gareth Wright disclosed his recent work showing that Facebook's app for iOS contains a security vulnerability that could allow malicious users to access login credentials held in a .plist file associated with the app. Obtaining a copy of that .plist file could allow a malicious users to automatically login in to the affected user's account on another device. The flaw reportedly also exists on Android devices.

Wright first discovered the issue while using iExplorer to browse files on his iPhone, discovering that the Facebook .plist file maintains the full oAuth key and secret needed to access his account in plain text. Working with a friend, Wright was able to demonstrate that simply moving that .plist file to another device granted that device access to his Facebook account.

After backing up his own plist and logging out of Facebook he copied mine over to his device and opened the Facebook app…

My jaw dropped as over the next few minutes I watched posts appear on my wall, private messages sent, webpages liked and applications added.

Scoopz then opened Draw Something on his iPad which logged him straight into my account where he sent some pictures back to my friends.

Wright outlines a number of different ways in which a malicious user could obtain the login credentials, including customized apps, hidden applications installed on public PCs, or hardware solutions such as a modified speaker dock that could siphon the data.

Facebook has issued a statement claiming that the issue only affects devices that have been jailbroken or lost, as it requires either installation of a custom app or physical access to the device. But as pointed out by Wright and confirmed by The Next Web, unmodified devices need not be lost in order to be targeted, as simply plugging in a device to a compromised computer or accessory would be sufficient to allow the data to be gathered.

ios dropbox plist
Dropbox .plist file seen through iExplorer (Source: The Next Web)

Furthermore, The Next Web has confirmed that the same issue affects Dropbox for iOS, similarly allowing a user to simply copy the .plist file from one device to another in order to gain access to the account. Given that two high-profile apps are vulnerable to credential theft, it seems likely that other services are also affected by the same issue.

As multiple reports note, there is no evidence that this method of collecting login credentials is actively being used in a malicious manner, and users can protect themselves for the time being by not connecting their devices to public computers or charging stations.

Update: While Wright's initial post claims that the issue affects "locked passcoded unmodified iOS Devices" when connected to a PC set up to capture the .plist file, The Next Web has now updated its report to indicate that in its testing the technique does not work on devices protected with a passcode.

Popular Stories

Generic iOS 19 Feature Mock Light

iOS 19 Leak Reveals All-New Design

Friday January 17, 2025 2:42 pm PST by
iOS 19 is still around six months away from being announced, but a new leak has allegedly revealed a completely redesigned Camera app. Based on footage it obtained, YouTube channel Front Page Tech shared a video showing what the new Camera app will apparently look like, with the key change being translucent menus for camera controls. Overall, the design of these menus looks similar to...
Read Full Article
2024 App Store Awards

Apple Explains Why It Removed TikTok From the App Store in the U.S.

Sunday January 19, 2025 6:58 am PST by
Apple on late Saturday removed TikTok from the App Store in the U.S., and it has now explained why it was required to take this action. Last year, the U.S. passed a law that required Chinese company ByteDance to divest its ownership of TikTok due to potential national security risks, or else the platform would be banned. That law went into effect today, and companies like Apple and Google...
Read Full Article252 comments
iPhone SE Dynamic Island Majin Bu

iPhone SE 4 Leak Shows Dynamic Island, Casts Doubt on Rumored 'iPhone 16E' Name

Monday January 20, 2025 9:01 am PST by
A new iPhone SE is widely rumored to launch this year, and the device has potentially been confirmed today by known leaker Evan Blass. In a private social media post, Blass shared an image of what appears to be source code mentioning an iPhone SE (4th Gen), which casts doubt on the alternative "iPhone 16E" name rumored for the device. However, the name in the source code could be a...
Read Full Article165 comments
iOS 19 Roundup Feature

iOS 19 Rumored to Be Compatible With These iPhones

Saturday January 18, 2025 10:28 am PST by
iOS 19 will not drop support for any iPhone models, according to French website iPhoneSoft.fr. The report cited a source who said iOS 19 will be compatible with any iPhone that can run iOS 18, which would mean the following models: iPhone 16 iPhone 16 Plus iPhone 16 Pro iPhone 16 Pro Max iPhone 15 iPhone 15 Plus iPhone 15 Pro iPhone 15 Pro Max iPhone 14 iPhon...
Read Full Article
airtag 4 pack blue

AirTag 2 Launching This Year With These 3 New Features

Sunday January 19, 2025 8:11 am PST by
After a four-year wait, a new AirTag is finally expected to launch in 2025. Below, we recap rumored upgrades for the accessory. A few months ago, Bloomberg's Mark Gurman said Apple was aiming to release the AirTag 2 around the middle of 2025. While he did not offer a more specific timeframe, that means the AirTag 2 could be announced by the end of June. The original AirTag was announced...
Read Full Article
iPhone 17 Air Size Feature

'iPhone 17 Air' With Rear Camera Bar Allegedly Shown in Leaked Photo

Tuesday January 21, 2025 12:46 pm PST by
A leaker known as "Majin Bu" today shared an alleged image of a component for the rumored, ultra-thin "iPhone 17 Air" model. The blurry, pixelated image shows a pair of rear iPhone shells with a pill-shaped, raised camera bar along the top. On the left side of the bar, there is a circular cutout that appears to be for a single rear camera. On the right side of the bar, there appears to be an ...
Read Full Article92 comments
apple power beats pro 2

Powerbeats Pro 2 Coming Soon: Apple to Announce Them 'Imminently'

Sunday January 19, 2025 8:25 am PST by
In September, Apple said that it would be launching Powerbeats Pro 2 in 2025, and it appears the wireless earbuds are coming very soon. Powerbeats Pro 2 images found in iOS 18 code In his Power On newsletter today, Bloomberg's Mark Gurman said the Powerbeats Pro 2 are "due imminently." In addition to Apple filing the Powerbeats Pro 2 in regulatory databases last month, Gurman said Apple is...
Read Full Article63 comments
Generic iOS 18

Everything New in iOS 18.3 Beta 3

Thursday January 16, 2025 12:39 pm PST by
Apple provided the third beta of iOS 18.3 to developers today, and while the betas have so far been light on new features, the third beta makes some major changes to Notification Summaries and also tweaks a few other features. Notification Summary Changes Apple made multiple changes to Notification Summaries in response to complaints about inaccurate summaries of news headlines. For...
Read Full Article28 comments

Top Rated Comments

amarcus Avatar
amarcus
167 months ago
Sloppy programming. This sort of information should be stored in the Keychain!
Score: 12 Votes (Like | Disagree)
bse3 Avatar
bse3
167 months ago
This has been a good week for the Apple security team

What does the security of the Facebook and Dropbox Apps have to do with the Apple Security Team? This is about lazy developers, not utilizing stuff that is there.
Score: 9 Votes (Like | Disagree)
Asclepio Avatar
Asclepio
167 months ago
Score: 6 Votes (Like | Disagree)
invalidname Avatar
invalidname
167 months ago
Sloppy programming. This sort of information should be stored in Keychain!

Exactly. Apple makes it very clear that any sensitive information goes in the Keychain. It's not the easiest API in the iOS SDK, but anyone getting paid to write apps should be able to muscle through it.

The other thing that's obscene about the Facebook app for iOS is that it caches every element of every web page you visit with the app. Check your usage and Facebook could easily be gobbling multiple GB. Details on my blog: Facebook for iOS Pigs Out (http://www.subfurther.com/blog/2012/03/20/facebook-for-ios-pigs-out/)
Score: 6 Votes (Like | Disagree)
S.B.G Avatar
S.B.G
167 months ago
I certainly hope these companies fix this ASAP. I don't use Facebook, so I'm alright there, but I do use Dropbox.

Agreed with someone above that this is sloppy programming. It still amazes me in this day that folks don't consider security when they create apps and such that require authentication.
Score: 6 Votes (Like | Disagree)
TallManNY Avatar
TallManNY
167 months ago
Every Facebook user should assume that their account can, will be and possibly already is hacked. The service is not secure. Facebook, as a company from the top down, does not believe in security and privacy anyway. Even unhacked, much of your data goes to every app that you connect to. Who knows what group is behind those apps when you connect initially. How about three years later? A failed Apps last asset before that company closes up shop is probably to sell their Facebook accounts. Some dorky game that you played five times three years ago might have changed hands a dozen times since you clicked on it. Every new entity buying that App got access to your account. Do you think Facebook is policing those entities?

The correct way to deal with this is to not have anything confidential or private on Facebook. It is designed for public consumption, which is fun and useful. It is not designed as a private storage site or private means of communication. All messages sent on Facebook should be considered public by the senders. Use it the right way, and don't worry about it being hacked anymore than someone looking up your name in the phone book.

Now Dropbox, that is another issue. That should be decently private. I suspect this will get fixed though.
Score: 5 Votes (Like | Disagree)
Read All Comments