Dropbox to Fix Security Hole With iOS App Update

Security researcher Gareth Wright discovered a Facebook app security hole on iOS devices, and then The Next Web revealed that the Dropbox file-syncing app is also vulnerable.

Woe is iOS

When Wright revealed a Facebook mobile security hole in iOS devices, he wrote, "Readers: Do not panic!" and explained how to change phone settings to secure the devices. He then says he used the free iexplorer tool on some of his iOS application directories and found a plain text Facebook access token in the Draw Something app. He realized that the Facebook application directory contained cached images and the com.Facebook.plist, but what was most shocking was the full oAuth key and secret in plain text.

Wright explains:

Worryingly the expiry in the plist is set to 1 Jan 4001!Quick export and call to my good friend and local blogger Scoopz and I sent over my plist for him to try out. After backing up his own plist and logging out of Facebook he copied mine over to his device and opened the Facebook app… My jaw dropped as over the next few minutes I watched posts appear on my wall, private messages sent, webpages liked and applications added."

Wright says that he notified Facebook, which is working to fix the hole. Later, he updated his post to include Linkedin as vulnerable to the hack.

Learning Opportunities

Webinar

Apr

5

Adopt a Modern Digital-First Marketing Strategy

Learn how to use a composable DXP to your advantage

Webinar

Apr

13

Composable Commerce The Future of Retail

The Adobe Commerce approach to composable and why it's best in class

Webinar

Apr

13

Accelerating Content Velocity Across the Digital Supply Chain

Learn to integrate DAM with upstream tools to improve workflow efficiency.

Webinar

Apr

18

Drive Business Growth Through Customer Service and Support

Defining the future of technology. What is AI’s role in the future of customer service?

Webinar

Apr

25

Human Intelligence: The Key to Harnessing Generative AI

Distinguish Hype From Reality

Webinar

Apr

26

Future-proofing Your Marketing Through Better Customer Understanding

Understanding your customers and how to reach them in real-time across all channels

Webinar

Apr

5

Adopt a Modern Digital-First Marketing Strategy

Learn how to use a composable DXP to your advantage

Webinar

Apr

13

Composable Commerce The Future of Retail

The Adobe Commerce approach to composable and why it's best in class

Webinar

Apr

5

Adopt a Modern Digital-First Marketing Strategy

Learn how to use a composable DXP to your advantage

Webinar

Apr

13

Composable Commerce The Future of Retail

The Adobe Commerce approach to composable and why it's best in class

Webinar

Apr

13

Accelerating Content Velocity Across the Digital Supply Chain

Learn to integrate DAM with upstream tools to improve workflow efficiency.

Webinar

Apr

5

Adopt a Modern Digital-First Marketing Strategy

Learn how to use a composable DXP to your advantage

View all

Next Comes Dropbox

The Next Web followed the story and found that the Dropbox app was also vulnerable because it stores information in plain text, which can be copied and used on another device:

We copied the .plist from one device with the app installed and logged in, over to another which had a fresh installation of Dropbox on it. The profile copied and it worked seamlessly, as if we had logged on ourselves, which we had not."

The Next Web contacted Dropbox about the problem, and received a statement back that said the Android app is not susceptible to the security issue because the access tokens are stored in a protected location.

Dropbox is updating its iOS app to do the same thing, but in the meantime, iOS app users can set the device passcode, which prevents transferring of the .plist file from the mobile device.