Facebook could open security hole on iOS, Android devices

Apr 6, 2012
Tech

By now you’ve heard that you should be careful what you post on Facebook. But it might not be prying eyes on your profile that gets you into trouble because of the social network, but a security hole open to hackers. As PC World reports, there’s an easily exploitable security flaw in Facebook’s mobile apps […]

By now you’ve heard that you should be careful what you post on Facebook. But it might not be prying eyes on your profile that gets you into trouble because of the social network, but a security hole open to hackers.

As PC World reports, there’s an easily exploitable security flaw in Facebook’s mobile apps for both Apple’s iOS platform and Google’s Android operating system. Neither version of the app encrypts users’ personal information, which makes it easy to steal for hacker types and identity thieves.

According to PC World’s report, all it would take to exploit the unencrypted data is “a rogue application” or “two minutes with a USB cable.” Rogue apps are less common on iOS than, say, Android because of the latter’s more open nature, but Apple’s walled garden is by no means free of the occasional malicious weed.

What’s especially disconcerting about the revelation that user data is unprotected with Facebook’s apps is the sheer volume of users that are logging in with their mobile devices. Back in February, Facebook released numbers that said some 350 million of its monthly active users were logging in with their mobile apps. That’s an insane number of people whose personal data is currently vulnerable, and who likely have no idea.

The security hole was first discovered by UK app developer Gareth Wright, who stumbled on it while using a free tool that allowed him to see the directory files on his iPhone. Before long, Wright noticed that a game made use of a Facebook token to gain access to information in Wright’s profile. Copying the token, he found it was easy to use the Facebook Query Language and the token to access information in his account. Poking further, he found Facebook’s directory files and a huge amount of unencrypted information. He even found an unencrypted key that could give anyone full access to his Facebook account.

READ  Fresh iPhone Apps for May 2012

Wright then wrote a computer program to demonstrate how easy it would be for a malicious hacker to create a worm to find and copy Facebook “plists,” the plaintext files that contain each user’s Facebook settings. Instead, Wright made his program merely add a tally to a counter every time it encountered a plist, rather than copy it. The code counted more than 1,000 plists over the course of a week.

Facebook is already working on a fix to the problem after being contacted by Wright over the issue, according to the PC World story. That doesn’t solve the problem of that plaintext token that gives apps (and potentially malicious programs) access to Facebook profiles, however; especially because that token is stored in the plists of other apps, such as games. That means there are potentially millions of Facebook-using mobile gamers out there that are currently vulnerable to having their information stolen, and may stay that way for some time.

Search for more

Phil Hornshaw

Phil Hornshaw is a freelance writer, editor and author living in Los Angeles, dividing his time between playing video games, playing video games on his cell phone, and writing about playing video games. He’s also the co-author of So You Created a Wormhole: The Time Traveler’s Guide to Time Travel, which attempts to mix time travel pop culture with some semblance of science, as well as tips on the appropriate means of riding dinosaurs. Check out his profile.

    Home Apps Games