A certain amount of hysteria has arisen today after a report suggested that a security vulnerability in Facebook’s mobile apps could lead potentially to identity theft.
Having carried out a series of tests, developer Gareth Wright reported that since many app developers save values in plain text plists as opposed to binaries, sensitive information could easily be compromised if fallen into the wrong hands.
He looked at the immensely popular Draw Something app, and noticed a plain text Facebook access token, copied the hash, and tested a few FQL queries. He then discovered he could pull essentially any information from his Facebook account. After sending the plist around to a few trusted associates, he was pretty awestruck to notice they could easily update his status, send messages, and essentially use his account.
Having contacted Facebook about the issues, he noted:
Facebook are aware and working on closing the hole, but unless app developers follow suit and start encrypting the 60 day access token Facebook supplies, it’s only a matter of time before someone starts using the info for ill purpose…if they aren’t already.
As TechCrunch correctly points out, though, the threat is only prevalent if a device is actually stolen, and even if it were, it would need to be jailbroken – or rooted, if you’re an Android user – in order for any serious damage to occur. If your jailbroken/rooted device was to be snatched, however, an unscrupulous individual could have a field day with your contacts, cookies, as well as access to app and account information.
Truthfully speaking, the key is not to get your device snatched, and Wright’s findings also reiterate the importance of having some form of remote wipe implementation in place to at least rescue the data from your doomed device.
Facebook has tried to calm the situation by releasing a clarifying statement:
"Access tokens are only vulnerable if they have modified their mobile OS [jailbroken or rooted] or have granted a malicious actor access to the physical device. We develop and test our application on an unmodified version of mobile operating systems and rely on the native protections as a foundation for development, deployment and security, all of which is compromised on a jailbroken device."
Facebook then goes on to recommend users stay away from jailbreaking / modding in any way that could increase the security risk. Since we’re strong advocates of the freedom of jailbreaking, we’d simply add that as long as you have a remote wipe system in place, you should be absolutely fine.