Gareth Wright, an app developer from the U.K., along with The Next Web have each confirmed, separately, that this new vulnerability affects any and all iPhones, not just jailbroken ones. In addition to that, it has been discovered that the vulnerability originated in Facebook’s iPhone app.
Wright released his report earlier in the week and claimed that the iPhone Facebook app includes a vulnerability that fails to encrypt log-on credentials whenever you get on Facebook on your iPhone via the app. Wright also said that he also discovered a Facebook access token in the Draw Something game. Wright copied the token, used the Facebook Query Language and extracted the information.
According to Wright’s report, “Sure enough, I could pull back pretty much any information from my Facebook account.” Wright also mentioned that the property list of the app contained any and all information needed to allow someone other than you to access your Facebook account, send private messages and do anything else imaginable.
However, Facebook is sticking by their claim that the vulnerability only affects jailbroken phones. In a statement from the social media giant, the company said, “Facebook’s iOS and Android applications are only intended for use with the manufacture provided operating system, and access tokens are only vulnerable if they have modified their mobile OS (i.e. jailbroken iOS or modded Android) or have granted a malicious actor access to the physical device.”
That may have been believable had The Next Web not released their very own report separate from Wright’s. The Next Web confirmed themselves that the vulnerability also affects non-jailbroken phones. However, The Next Web also found that Dropbox also suffers from the same vulnerability, leaving the application open to a property list hack.
According to The Next Web, “We copied the .plist from one device, with the app installed and logged in, over to another which had a fresh installation of Dropbox on it. The profile copied and it worked seamlessly, as if we had logged on ourselves, which we had not.” The Next Web also added that the Dropbox vulnerability works on phones that are passcode protected.
Facebook keeps saying that the vulnerability is only on jailbroken phones, though with the reports from Wright and The Next Web, I don’t know how much longer the social media company can keep that story going.
Source: CNET – facebook ID theft impacts all iPhones, Dropbox