Facebook, Dropbox iOS apps contain security hole that could allow identity theft (Updated)

Updated with comment from Dropbox, note regarding LinkedIn and clarifications throughout.

Let's clear this up quickly: Yes, there's a security hole in the Facebook app. The Next Web also confirmed the same issue in the Dropbox app, and a commenter below suggests that Vimeo and Tumblr official apps have the same core vulnerability. LinkedIn's app also apparently works the same way.

The good news is this: It's very unlikely anyone would get access to your Facebook account this way. To do so, the hypothetical hacker would have to have physical access to your iPhone, and once someone has physical control of your device you've got plenty of bigger problems.

Even if someone tried to trick you into falling for this exploit without stealing your phone, you'd have to allow them to plug your device into their computer or a rigged dock/charging station, then allow them to do a bunch of business on your phone to grab a plain text file stored by these, then they'd have to take that file to a different iOS device in order to go and do something malicious on your Facebook or Dropbox accounts.

[In theory, if you plugged your non-passcode-locked phone into an untrusted computer or peripheral to charge it, a piece of software on that computer could surreptitiously grab the key files without your knowledge. No such malicious app is currently known to exist in the wild, but it's not outside the realm of possibility researcher Gareth Wright was able to "knock together" several proofs of concept, including a modified speaker dock and a credit-card sized hardware capture tool. –Ed.]

Although other sites have reported that a jailbroken device is required to access this exploit, that is simply not true. A desktop app like iExplorer or PhoneView, which allow you to access application-stored files on an iOS device, will allow you to exploit the security hole.

It works like this: some iOS apps use little text files (.plist aka property list files) to store all sorts of little things about an app. In this case, Dropbox, LinkedIn, Facebook and others are using an unencrypted property list to apparently store both the OAuth key and its secret counterpart.

That's...astonishingly naive. (I wonder how many other apps don't do the same thing.) Apple provides a secure mechanism (the system keychain) which is meant for exactly this purpose: providing a non-visible storage system for sensitive data.

Once a malicious person has used iExplorer to find the right plist, that file can be copied and dropped onto another device. That second device would then be able to access your account as though you had already logged in. Using a property list in this way leaves us scratching our heads.

Facebook has issued a comment saying it will patch this soon. I haven't seen any statement from Dropbox yet. That being said, this was a dumb mistake on Facebook's and Dropbox's parts -- they should have known better.

Update: Dropbox issued a statement as well, noting the Android version doesn't suffer from this vulnerability. Also, the company is working on a fix now. The statement is pasted below.

The Next Web did a little more testing and points out that the exploit can't be leveraged if you have set a passcode on your device -- an unfamiliar computer can't pull files from your phone if it's passcode-locked.

From Dropbox:

We are currently updating our iOS app to do the same. We note that the attack in question requires a malicious actor to have physical access to a user's device. In a situation like that, a user is susceptible to all sorts of threats, so we strongly advise safeguarding devices.