Security issue in Facebook, Dropbox iOS apps requires physical access
A newly discovered security flaw in the Facebook and Dropbox applications for iOS could lead to identity theft, but only if a malicious user were to physically get their hands on an iPhone or iPad.
Earlier this week, developer Gareth Wright discovered the flaw in Facebook's official, free software available on the iOS App Store. He was able to install his personal "plist" file from the social networking application on four different devices without warning.
After discovering the issue, Wright contacted Facebook's security team, and they confirmed they they are "working to fix it." No timetable was given for the fix.
The same issue was also discovered in the official iOS Dropbox application by The Next Web. Both applications store personal information in plain text, rather than encrypting or packaging it, leaving personal information accessible to malicious users — but only if they are able to obtain the physical device that holds the data.
The data can even be obtained from Apple's latest devices, including the third-generation iPad, and it can be extracted without "jailbreaking" the device, or hacking Apple's iOS mobile operating system.
In other words, there is currently no current risk with the security flaw for users who keep their iPhone or iPad in their possession. The newly discovered issue mostly applies to those who may have lost their device or had it stolen.
In a statement, Dropbox said it is currently updating its iOS application to store its access tokens in a "protected location," like the service's Android application already does.
"We note the attack in question requires a malicious actor to have physical access to a user's device," they noted. "In a situation like that, a user is susceptible to all sorts of threats, so we strongly advise safeguarding devices."
[ View article on AppleInsider ]
Comments
2) Those that want added security 1Password offers a great way to have hard to guess, unique passwords for every site so even if one was compromised those with the same password across sites will be better protected.
Quick. Everyone panic.
In other news: Losing your drivers license or social security card could lead to identity theft.
Quick. Everyone panic.
So wait, they are not using the Keychain like they are supposed to?
Correct. This makes me flippin' angry.
1)
2) Those that want added security 1Password offers a great way to have hard to guess, unique passwords for every site so even if one was compromised those with the same password across sites will be better protected.
I am a long time user of 1Password. The iOS version has always been a little awkward. How do you use it? If, say you browse AI on Safari (ios) and make a comment, how would you use 1password? I suspect I go the long route out of habit.
I am a long time user of 1Password. The iOS version has always been a little awkward. How do you use it? If, say you browse AI on Safari (ios) and make a comment, how would you use 1password? I suspect I go the long route out of habit.
Safari is storing my commonly used passwords so AI is always logged in. I'm not a big fan of the 1Password in-app browser so if, for instance, I want to go to my bank website I would access 1Password, input the PIN, find the account, input the password, then copy the password, then go to Safari and access the login from there but don't save the info.
Safari is storing my commonly used passwords so AI is always logged in. I'm not a big fan of the 1Password in-app browser so if, for instance, I want to go to my bank website I would access 1Password, input the PIN, find the account, input the password, then copy the password, then go to Safari and access the login from there but don't save the info.
Yes, that's how I do it, too. I was hoping you had discovered that the in app browser was awesome. A real shame it can't work like the OSX version. I read the reason at some point and concluded that I had to live with clunky.
Failure to provide physical security does not equal flaws in software or OS security.
They don't equal it, but that doesn't mean there aren't security issues that need to be addressed. Imagine if anyone could log into your Mac/PC and get access to passwords simply because they have physical access. FB and Dropbox need to address this, as well as Apple. I don't want anyone being able to see any personal files on my devices without first knowing my password/PIN or breaking the drive's encryption.
Yes FB and DropBox should be using the data protection API's but they only provide protection with a passcode too. They're just an extra layer of protection or like a secondary encryption. Users should also be advised to encrypt any iTunes backups. if a thief can't get a hold of your computer then that eliminates any other back door. A PC free setup iOS device with a complex passcode is extremely safe.
Gareth doesn't make it clear as to whether he performed this using a computer that he had previously synced with iTunes. This bypasses the passcode as iTunes knows it. Testing needs to be done on a computer unknown to the device.
Facebook is quite a challenge to secure though.
They don't equal it, but that doesn't mean there aren't security issues that need to be addressed. Imagine if anyone could log into your Mac/PC and get access to passwords simply because they have physical access. FB and Dropbox need to address this, as well as Apple. I don't want anyone being able to see any personal files on my devices without first knowing my password/PIN or breaking the drive's encryption.
Gareth doesn't make it clear as to whether he performed this using a computer that he had previously synced with iTunes. This bypasses the passcode as iTunes knows it. Testing needs to be done on a computer unknown to the device.
Gareth just updated to confirm passcode-protected iOS devices are safe provided the thief or attacker does not have access to a computer which knows the passcode. One which hasn't synced that iOS device.
Everyone needs to passcode and encrypt your iTunes backups. Plus put a password on your computer accounts. If possible encrypt your full drives. If you've got a Mac running Lion, turn on FileVault!
Dropbox has no excuse for this --
which is why i use data locker just as added security. does data locker have flaws and security holes? maybe, but i don't lose sleep over it.
i also use 1 password and used to?USED TO?store on dropbox, but stopped a few months ago. info is way too important. i'll wait until things are a bit more secure.
Safari is storing my commonly used passwords so AI is always logged in. I'm not a big fan of the 1Password in-app browser so if, for instance, I want to go to my bank website I would access 1Password, input the PIN, find the account, input the password, then copy the password, then go to Safari and access the login from there but don't save the info.
My bank has an App, I enter a pin and have access.
It's device specific and you to have set it up first, which involves a password sent by SMS.
My bank has an App, I enter a pin and have access.
It's device specific and you to have set it up first, which involves a password sent by SMS.
My bank has something similar but it requires a password, not a PIN. It doesn't have all the features of the webpage. For instance, I haven't owned checks in years but my bank allows me to, for free, go online and cut a check and they'll mail it.
Still, even with the app I need to access 1Password and copy the password as it's 22 to 32 randomly generated characters.
I cancelled my Facebook account. Yeah! One less person for them to capitalize on. F- Facebook.
NOT! Facebook never cancels an account. It will always remain forever on the Facebook server. I cancelled my account years ago. Used all the tips to permanently delete it. Guess what, Facebook still has it and can activate it. They never delete anything even when they have you think they do delete it. And I highly suspect the data you had as public is still available for the public to find it, since I still find references to the profile page.