Extension Factory Builder

Wednesday, 11 April 2012

Facebook Application For iOS & Android Have Security Hole Which Allows Identity Theft

Facebook Application For iOS & AndroidHave Security Hole Which Allows Identity Theft 



Facebook users again under risk.  Recently a new security vulnerability found in Facbook application foriOS & Facebook application for Android. Researcher app developer Gareth Wright, who discovered the issue, said it comes down to Facebook’s native apps for the two platforms not encrypting your login credentials, meaning they can be easily swiped over a USB connection, or more likely, via malicious apps. Facebook has responded that this issue only applies to compromised or jailbrokendevices. Means if you are using a jailbroken iOS device or a rooted Android device then your identity can easily be theft. Wright copied the hash and tested a few FQL queries. "Sure enough, I could pull back pretty much any information from my Facebook account. As of the 1st of May 2012 these tokens run out after 60 days but aside from that a simple .Net tool could easily snaffle this info and grab a fair whack of confirmed email addresses and marketing info.
“Not good, but then I had to wonder what the Facebook app stored. Popping into the Facebook application directory I quickly discovered a whole bunch of cached images and the com.Facebook.plist. “What was contained within was shocking. Not an access token but full oAuth key and secret in plain text. Surely though, these are encrypted or salted with the device ID. Worryingly, the expiry in the plist is set to 1 Jan 4001!" 

“Facebook’s iOS and Android applications are only intended for use with the manufacture provided operating system, and access tokens are only vulnerable if they have modified their mobile OS (i.e. jailbroken iOS or modded Android) or have granted a malicious actor access to the physical device,” a Facebook spokesperson said in a statement. “We develop and test our application on an unmodified version of mobile operating systems and rely on the native protections as a foundation for development, deployment and security, all of which is compromised on a jailbroken device. As Apple states, ‘unauthorized modification of iOS could allow hackers to steal personal information … or introduce malware or viruses.’ To protect themselves we recommend all users abstain from modifying their mobile OS to prevent any application instability or security issues.”
As for the USB connection scenario, Facebook says there’s no way to fix this problem. Note that in this case it doesn’t matter if your device is jailbroken or not, because whoever is doing the deed has physical access to your phone or tablet.

0 comments:

Post a Comment

Related Posts Plugin for WordPress, Blogger...
 
Submitdomainname.com Link Exchange with Democratic Hackers | Learn Ethical Hacking