.@TheNextWeb discovers the horrifying truth that stolen credentials CAN BE REUSED – #facebook client, #dropbox @MPanzarino

Facebook Security Hole Doesn’t Require Jailbreak, Dropbox Has it Too.

Earlier today, security researcher Gareth Wright revealed the discovery of a security hole in the Facebook app for mobile devices running Android and iOS. The simple ‘hack’ allows a user to copy a plain text file off of the device and onto another one. This effectively gives another user access to your account, profile and all on that iOS device.

Now, The Next Web has discovered that popular file-syncing app Dropbox also exhibits the vulnerability.

As we noted earlier, the vulnerability lies with the app itself, as it stores this information in plain text, rather than encrypting or packaging it so that it cannot be accessed.

Let me stop you there; not only did we deal with this last year but also we explained:

I wouldn’t panic about the overall approach; in fact commenter Dwayne Litzenberger has already pointed out that it’s not much different to use of unpassworded SSH public key authentication, where you similarly set up a magic file which (if copied) permits unrestricted access into another machine. I’ve seen plenty of enterprises where that happens and is justified by the argument that it’s safe to do this within a nice, secure corporate network – Ha! – whereas the simple truth is that sometimes unpassworded, statically authenticated access to compute resources and data is so desirable that people are willing to make it work within an acceptable framework of risk.

Plus, let’s be honest: once somebody has gotten into your machine to retrieve Dropbox’s magic file then you are already 0wned and it’s game over, Dropbox or no Dropbox.

So when you say the vulnerability lies with the app itself – no, no it doesn’t. The vulnerability lies in the platform’s being accessible to a third party outside of the trust model.

The solutions are physical isolation, software to inhibit unmediated network access to data, and encrypted storage and decent key management to inhibit offline access.

6 thoughts on “.@TheNextWeb discovers the horrifying truth that stolen credentials CAN BE REUSED – #facebook client, #dropbox @MPanzarino

  1. Richard

    While I agree with your assessment and conclusions, app developers could make it a little harder for an attacker with physical access to the device. For example, take a unique number (like a MAC address) of the device in the mix of encryption or authentication. Granted, it is a small step to reverse the app to know what to spoof to make it still work. But at least it will keep some script kiddies out.

    I tested my mobile banking app, and was pleasantly surprised that when I copied over the data folder to another device, it asked me to re-authenticate.

    Reply
    1. alecm Post author

      >But at least it will keep some script kiddies out.

      They shouldn’t be there in the first place, and if the economic cost of doing the above to save N people from having their data stolen by incompetent hackers, versus 100*N people not being able to restore their application context from backups made on a different machine, I would rather not have it…

      Reply
      1. Richard

        I get your point, and somewhat agree. After a restore to another device, the app would simply ask you to re-authenticate though. Not much harm to the 100*N people.

        Interestingly, I had to turn off my iTunes backup password for the jailbreak of iOS 5.0.1. When I later restored that backup to a new iPad, all my passwords stored in the keyChain were gone. It seems that iOS encrypts them using a Device Key (that never leaves the device) when no backup password is set. A little known fact, but nice security if you think about it.

        Reply
  2. Richard

    After reading the article of Gareth Wright at http://garethwright.com/blog/facebook-mobile-security-hole-allows-identity-theft I must say, this is pretty careless. iOS contains a keychain exactly for this purpose. It is protected using a hardware encryption module that limits brute forcing to 6 tries per second (see http://www.elcomsoft.com/WP/BH-EU-2012.pdf ). When using an iTunes backup password, all credentials can be transferred to a new device. There is no reason for apps to store credentials in plists.

    Reply

Leave a Reply