This week a startling discovery has been made by developer and writer Gareth Wright which has the potential to allow any rogue app to take control of your Facebook app and therefor your Facebook account. The method seems almost too simple – within the package of files you get with either the Android or iOS version of Facebook comes a file called a plist. This plist contains unencrypted information about your Facebook account – including your name and password. Facebook is reportedly searching for a fix now, but they’ve not yet addressed the fact that a similar plist sits in every app you’ve allowed access to your Facebook account.
For those of you not wanting to get too technical about it – there’s really nothing else you need to know. The Facebook app you’ve got on your mobile device, be it a tablet, smartphone, or something in-between, has a piece of it which is relatively unsecured and contains all of the information needed for a 3rd party to gain access to your Facebook account.
When an app requests access to your Facebook account – like when you need to connect with a photo-sharing app, for example – Facebook’s current method for allowing said access is to transfer information to the plist that app then has in its own stack of files. At the moment, this file sits with an app for 60 days after it asks for access, then Facebook trusts the app to access it. The plist in the Facebook app itself has an expiration date as well: January 1st, 4001. That’s according, again, to Wright.
So what can you do? You can quit using Facebook on your smart device and delete it and every app you’ve allowed access to Facebook until Facebook’s developers find a better method for connecting you. Or you could just relax because the only way a person can get this information from you is if you download an app which can access it (not likely unless you’re downloading rogue apps from who knows where), or someone gains physical access to your smartphone or tablet. So keep it safe!
UPDATE: Facebook has responded with the following on the subject:
“Facebook’s iOS and Android applications are only intended for use with the manufacture provided operating system, and access tokens are only vulnerable if they have modified their mobile OS (i.e. jailbroken iOS or modded Android) or have granted a malicious actor access to the physical device. We develop and test our application on an unmodified version of mobile operating systems and rely on the native protections as a foundation for development, deployment and security, all of which is compromised on a jailbroken device. As Apple states, “unauthorized modification of iOS could allow hackers to steal personal information … or introduce malware or viruses.” To protect themselves we recommend all users abstain from modifying their mobile OS to prevent any application instability or security issues.” – Facebook Spokesperson
There you have it folks, what do you think?