Friday, April 06, 2012, 11:50 am

Security issue in Facebook, Dropbox iOS apps requires physical access

By Slash Lane

A newly discovered security flaw in the Facebook and Dropbox applications for iOS could lead to identity theft, but only if a malicious user were to physically get their hands on an iPhone or iPad.

Earlier this week, developer Gareth Wright discovered the flaw in Facebook's official, free software available on the iOS App Store. He was able to install his personal "plist" file from the social networking application on four different devices without warning.

After discovering the issue, Wright contacted Facebook's security team, and they confirmed they they are "working to fix it." No timetable was given for the fix.

The same issue was also discovered in the official iOS Dropbox application by The Next Web. Both applications store personal information in plain text, rather than encrypting or packaging it, leaving personal information accessible to malicious users — but only if they are able to obtain the physical device that holds the data.

The data can even be obtained from Apple's latest devices, including the third-generation iPad, and it can be extracted without "jailbreaking" the device, or hacking Apple's iOS mobile operating system.

In other words, there is currently no current risk with the security flaw for users who keep their iPhone or iPad in their possession. The newly discovered issue mostly applies to those who may have lost their device or had it stolen.


In a statement, Dropbox said it is currently updating its iOS application to store its access tokens in a "protected location," like the service's Android application already does.

"We note the attack in question requires a malicious actor to have physical access to a user's device," they noted. "In a situation like that, a user is susceptible to all sorts of threats, so we strongly advise safeguarding devices."