earlier week, gareth wright disclosed recent work showing facebook's app ios contains security vulnerability allow malicious users access login credentials held in .plist file associated app. obtaining copy of .plist file allow malicious users automatically login in affected user's account on device. flaw reportedly exists on android devices.
wright first discovered issue while using iexplorer browse files on iphone, discovering facebook .plist file maintains full oauth key , secret needed access account in plain text. working friend, wright able demonstrate moving .plist file device granted device access facebook account.wright outlines number of different ways in malicious user obtain login credentials, including customized apps, hidden applications installed on public pcs, or hardware solutions such modified speaker dock siphon data.
facebook has issued statement claiming issue affects devices have been jailbroken or lost, requires either installation of custom app or physical access device. pointed out wright , confirmed the next web, unmodified devices need not lost in order targeted, plugging in device compromised computer or accessory sufficient allow data gathered.
furthermore, the next web has confirmed same issue affects dropbox ios, allowing user copy .plist file 1 device in order gain access account. given 2 high-profile apps vulnerable credential theft, seems other services affected same issue.
multiple reports note, there no evidence method of collecting login credentials actively being used in malicious manner, , users can protect time being not connecting devices public computers or charging stations.
update: while wright's initial post claims issue affects "locked passcoded unmodified ios devices" when connected pc set capture .plist file, the next web has updated report indicate in testing technique not work on devices protected passcode.
article link: facebook , dropbox apps ios vulnerable credential theft
the way hold of these files physical access phone. pretty scary though. if phone's nicked.
facebook's claim jailbroken devices inherently vulnerable plain, plain wrong. way jailbroken device more vulnerable through ssh being installed voluntarily user, , root password not being changed.
Forums News and Article Discussion MacRumors.com News Discussion
- iPhone
- Mac OS & System Software
- iPad
- Apple Watch
- Notebooks
- iTunes
- Apple ID
- iCloud
- Desktop Computers
- Apple Music
- Professional Applications
- iPod
- iWork
- Apple TV
- iLife
- Wireless
![[img]](proxy.php?image=http%3a%2f%2fimages.macrumors.com%2fim%2fmacrumorsthreadlogo.gif&hash=816e9dd7651ba293ba31b12742034fea)
![[img]](proxy.php?image=http%3a%2f%2fimages.macrumors.com%2farticle-new%2f2012%2f04%2fios_dropbox_plist.jpg&hash=d77e9c981a1304493e78509764a3986d)
No comments:
Post a Comment