Security issue in Facebook, Dropbox iOS apps requires physical access

Posted:
in iPhone edited January 2014


A newly discovered security flaw in the Facebook and Dropbox applications for iOS could lead to identity theft, but only if a malicious user were to physically get their hands on an iPhone or iPad.



Earlier this week, developer Gareth Wright discovered the flaw in Facebook's official, free software available on the iOS App Store. He was able to install his personal "plist" file from the social networking application on four different devices without warning.



After discovering the issue, Wright contacted Facebook's security team, and they confirmed they they are "working to fix it." No timetable was given for the fix.



The same issue was also discovered in the official iOS Dropbox application by The Next Web. Both applications store personal information in plain text, rather than encrypting or packaging it, leaving personal information accessible to malicious users — but only if they are able to obtain the physical device that holds the data.



The data can even be obtained from Apple's latest devices, including the third-generation iPad, and it can be extracted without "jailbreaking" the device, or hacking Apple's iOS mobile operating system.



In other words, there is currently no current risk with the security flaw for users who keep their iPhone or iPad in their possession. The newly discovered issue mostly applies to those who may have lost their device or had it stolen.











In a statement, Dropbox said it is currently updating its iOS application to store its access tokens in a "protected location," like the service's Android application already does.



"We note the attack in question requires a malicious actor to have physical access to a user's device," they noted. "In a situation like that, a user is susceptible to all sorts of threats, so we strongly advise safeguarding devices."



[ View article on AppleInsider ]

«1

Comments

  • solipsismxsolipsismx Posts: 19,566member
    1) This isn't good. I don't care if it's because of sloppy coding on the part of FB and Dropbox devs because they didn't follow Apple's guidelines, I do expect that Apple's venting process can look at a plain text PLIST file for passwords and other sensitive data.



    2) Those that want added security 1Password offers a great way to have hard to guess, unique passwords for every site so even if one was compromised those with the same password across sites will be better protected.
  • postulantpostulant Posts: 1,270member
    In other news: Losing your drivers license or social security card could lead to identity theft.



    Quick. Everyone panic.
  • uguysrnutsuguysrnuts Posts: 459member
    AAAAAAA(to the tenth power)!!!!!!!!!



    Quote:
    Originally Posted by Postulant View Post


    In other news: Losing your drivers license or social security card could lead to identity theft.



    Quick. Everyone panic.



  • crisss1205crisss1205 Posts: 61member
    So wait, they are not using the Keychain like they are supposed to?
  • yaakyaak Posts: 2member
    Quote:
    Originally Posted by crisss1205 View Post


    So wait, they are not using the Keychain like they are supposed to?



    Correct. This makes me flippin' angry. Dropbox has no excuse for this -- even amateur iOS devs can read a few bits of documentation and use the Keychain to store this stuff. GAH!
  • paxmanpaxman Posts: 4,129member
    Quote:
    Originally Posted by SolipsismX View Post


    1)

    2) Those that want added security 1Password offers a great way to have hard to guess, unique passwords for every site so even if one was compromised those with the same password across sites will be better protected.



    I am a long time user of 1Password. The iOS version has always been a little awkward. How do you use it? If, say you browse AI on Safari (ios) and make a comment, how would you use 1password? I suspect I go the long route out of habit.
  • solipsismxsolipsismx Posts: 19,566member
    Quote:
    Originally Posted by paxman View Post


    I am a long time user of 1Password. The iOS version has always been a little awkward. How do you use it? If, say you browse AI on Safari (ios) and make a comment, how would you use 1password? I suspect I go the long route out of habit.



    Safari is storing my commonly used passwords so AI is always logged in. I'm not a big fan of the 1Password in-app browser so if, for instance, I want to go to my bank website I would access 1Password, input the PIN, find the account, input the password, then copy the password, then go to Safari and access the login from there but don't save the info.
  • paxmanpaxman Posts: 4,129member
    Quote:
    Originally Posted by SolipsismX View Post


    Safari is storing my commonly used passwords so AI is always logged in. I'm not a big fan of the 1Password in-app browser so if, for instance, I want to go to my bank website I would access 1Password, input the PIN, find the account, input the password, then copy the password, then go to Safari and access the login from there but don't save the info.



    Yes, that's how I do it, too. I was hoping you had discovered that the in app browser was awesome. A real shame it can't work like the OSX version. I read the reason at some point and concluded that I had to live with clunky.
  • gqbgqb Posts: 1,934member
    Failure to provide physical security does not equal flaws in software or OS security.
  • solipsismxsolipsismx Posts: 19,566member
    Quote:
    Originally Posted by GQB View Post


    Failure to provide physical security does not equal flaws in software or OS security.



    They don't equal it, but that doesn't mean there aren't security issues that need to be addressed. Imagine if anyone could log into your Mac/PC and get access to passwords simply because they have physical access. FB and Dropbox need to address this, as well as Apple. I don't want anyone being able to see any personal files on my devices without first knowing my password/PIN or breaking the drive's encryption.
  • ontheinsideontheinside Posts: 87member
    This is another scaremongering story which fails to point out that if people secure their iOS device with a passcode then it won't be accessible to a thief who does not get the passcode. Setting the simple passcode off allows for complex passwords which makes the data even safer.



    Yes FB and DropBox should be using the data protection API's but they only provide protection with a passcode too. They're just an extra layer of protection or like a secondary encryption. Users should also be advised to encrypt any iTunes backups. if a thief can't get a hold of your computer then that eliminates any other back door. A PC free setup iOS device with a complex passcode is extremely safe.



    Gareth doesn't make it clear as to whether he performed this using a computer that he had previously synced with iTunes. This bypasses the passcode as iTunes knows it. Testing needs to be done on a computer unknown to the device.
  • drblankdrblank Posts: 3,383member
    I cancelled my Facebook account. Yeah! One less person for them to capitalize on. F- Facebook.
  • uguysrnutsuguysrnuts Posts: 459member
    This is why I use BoxCryptor on my computers and iOS devices. All of my important files are encrypted.



    Facebook is quite a challenge to secure though.



    Quote:
    Originally Posted by SolipsismX View Post


    They don't equal it, but that doesn't mean there aren't security issues that need to be addressed. Imagine if anyone could log into your Mac/PC and get access to passwords simply because they have physical access. FB and Dropbox need to address this, as well as Apple. I don't want anyone being able to see any personal files on my devices without first knowing my password/PIN or breaking the drive's encryption.



  • ontheinsideontheinside Posts: 87member
    Quote:
    Originally Posted by ontheinside View Post


    Gareth doesn't make it clear as to whether he performed this using a computer that he had previously synced with iTunes. This bypasses the passcode as iTunes knows it. Testing needs to be done on a computer unknown to the device.



    Gareth just updated to confirm passcode-protected iOS devices are safe provided the thief or attacker does not have access to a computer which knows the passcode. One which hasn't synced that iOS device.



    Everyone needs to passcode and encrypt your iTunes backups. Plus put a password on your computer accounts. If possible encrypt your full drives. If you've got a Mac running Lion, turn on FileVault!
  • neosumneosum Posts: 109member
    Having physical access to ANY device = compromised. Why would anyone be surprised about this? Anytime you lose your smartphone or laptop, your safest bet is to remote wipe it as soon as possible. If you don't, consider your data compromised. It's that easy to gain root access to your devices if they have physical access to it.
  • mac_dogmac_dog Posts: 477member
    Quote:
    Originally Posted by yAak View Post


    Dropbox has no excuse for this --



    which is why i use data locker just as added security. does data locker have flaws and security holes? maybe, but i don't lose sleep over it.



    i also use 1 password and used to?USED TO?store on dropbox, but stopped a few months ago. info is way too important. i'll wait until things are a bit more secure.
  • hill60hill60 Posts: 6,960member
    Quote:
    Originally Posted by SolipsismX View Post


    Safari is storing my commonly used passwords so AI is always logged in. I'm not a big fan of the 1Password in-app browser so if, for instance, I want to go to my bank website I would access 1Password, input the PIN, find the account, input the password, then copy the password, then go to Safari and access the login from there but don't save the info.



    My bank has an App, I enter a pin and have access.



    It's device specific and you to have set it up first, which involves a password sent by SMS.
  • hellacoolhellacool Posts: 759member
    I think I would be more concerned with the loss of my phone. Who cares about Facebook if you also bank using your phone or other financial things. Plus as others pointed out simply using a lock code prevents all this. If someone banks and does other things with their device and fails to lock it, they have far more to worry about.
  • solipsismxsolipsismx Posts: 19,566member
    Quote:
    Originally Posted by hill60 View Post


    My bank has an App, I enter a pin and have access.



    It's device specific and you to have set it up first, which involves a password sent by SMS.



    My bank has something similar but it requires a password, not a PIN. It doesn't have all the features of the webpage. For instance, I haven't owned checks in years but my bank allows me to, for free, go online and cut a check and they'll mail it.



    Still, even with the app I need to access 1Password and copy the password as it's 22 to 32 randomly generated characters.
  • ljocampoljocampo Posts: 657member
    Quote:
    Originally Posted by drblank View Post


    I cancelled my Facebook account. Yeah! One less person for them to capitalize on. F- Facebook.



    NOT! Facebook never cancels an account. It will always remain forever on the Facebook server. I cancelled my account years ago. Used all the tips to permanently delete it. Guess what, Facebook still has it and can activate it. They never delete anything even when they have you think they do delete it. And I highly suspect the data you had as public is still available for the public to find it, since I still find references to the profile page.
Sign In or Register to comment.