Earlier today, security researcher Gareth Wright revealed the discovery of a security hole in the Facebook app for mobile devices running Android and iOS. The simple ‘hack’ allows a user to copy a plain text file off of the device and onto another one. This effectively gives another user access to your account, profile and all on that iOS device.
Now, The Next Web has discovered that popular file-syncing app Dropbox also exhibits the vulnerability.
As we noted earlier, the vulnerability lies with the app itself, as it stores this information in plain text, rather than encrypting or packaging it so that it cannot be accessed.
Let me stop you there; not only did we deal with this last year but also we explained:
I wouldn’t panic about the overall approach; in fact commenter Dwayne Litzenberger has already pointed out that it’s not much different to use of unpassworded SSH public key authentication, where you similarly set up a magic file which (if copied) permits unrestricted access into another machine. I’ve seen plenty of enterprises where that happens and is justified by the argument that it’s safe to do this within a nice, secure corporate network – Ha! – whereas the simple truth is that sometimes unpassworded, statically authenticated access to compute resources and data is so desirable that people are willing to make it work within an acceptable framework of risk.
Plus, let’s be honest: once somebody has gotten into your machine to retrieve Dropbox’s magic file then you are already 0wned and it’s game over, Dropbox or no Dropbox.
So when you say the vulnerability lies with the app itself – no, no it doesn’t. The vulnerability lies in the platform’s being accessible to a third party outside of the trust model.
The solutions are physical isolation, software to inhibit unmediated network access to data, and encrypted storage and decent key management to inhibit offline access.