Facebook says ID theft threat only on jailbroken phones
A purported security hole discovered by an app developer occurs only on phones modified to remove security measures, the social network says.
Reports are making the rounds on the Internet of a security hole in Facebook's Android and iOS clients that could allow identity theft.
However, the threat posed to most users of mobile devices that use those platforms is apparently minimal, and the blame for the vulnerability is misplaced, Facebook says. According to a blog by U.K. app developer Gareth Wright, who discovered the alleged vulnerability, the social network's mobile clients didn't encrypt users' log-on credentials, leaving them open for hijacking over a USB connection or rogue app.
Wright wrote on his blog that he discovered the issue while exploring the application directories in his iPhone with a free tool and came across a Facebook access token in the Draw Something game on his phone.
After copying the token's code, Wright said he used Facebook Query Language to extract the information from within. "Sure enough, I could pull back pretty much any information from my Facebook account," he wrote, pointing out that anyone who had access to the token could do the same.
Wright then turned his attention to the Facebook app directory, finding inside the app's property list -- the file that contains user settings. "What was contained within was shocking," he wrote. Inside the "plist," he discovered an unencrypted authorization key that gives the holder full access to that Facebook account.
He said he then sent the plist to a friend, who substituted it for the plist in his own Facebook account.
"My jaw dropped as over the next few minutes I watched posts appear on my wall, private messages sent, webpages liked and applications added," Wright wrote.
However, what Wright apparently didn't reveal was that the plist is designed to be offlimits to all except the app itself unless the device is already jailbroken. While jailbreaking or rooting phones gives the owner access to install and change apps they wouldn't normally be able to do, it also disables the device's built-in security measures.
Facebook said in a statement that the modifications made to the phone were responsible for exposing the data:
Facebook's iOS and Android applications are only intended for use with the manufacture provided operating system, and access tokens are only vulnerable if they have modified their mobile OS (i.e. jailbroken iOS or modded Android) or have granted a malicious actor access to the physical device. We develop and test our application on an unmodified version of mobile operating systems and rely on the native protections as a foundation for development, deployment and security, all of which is compromised on a jailbroken device. As Apple states, "unauthorized modification of iOS could allow hackers to steal personal information ... or introduce malware or viruses." To protect themselves we recommend all users abstain from modifying their mobile OS to prevent any application instability or security issues.
Wright called Facebook's statement "rubbish," adding that the vulnerability is present on both jailbroken and non-jailbroken phones.
Updated at 5:45 p.m. PT with Wright's response.