U.K.-based Android and iOS app developer Gareth Wright recently discovered a security hole in Facebook’s native mobile apps that can be used to steal a user’s personal information. Facebook’s Android and iOS apps do not encrypt login credentials, instead storing them in plain text files and allowing the information to be easily accessed and transferred over a USB connection, or more likely, through a malicious app. Wright explained in a blog post that Facebook’s plist file, or property list file containing personal data, is stored insecurely and not set to expire for 2,000 years. Once a plist file is copied to another device, one can simply open the normal Facebook app and will automatically be logged in the user’s account. Wright’s claims were confirmed by TheNextWeb, which also discovered that Dropbox’s iOS app includes the same security hole. The vulnerabilities do not require a device to be jailbroken or rooted, and exploits can be performed with a simple file explorer.
Update: Dropbox reached out to BGR regarding the issue, the company’s statement can be found after the break.
“Dropbox’s Android app is not impacted because it stores access tokens in a protected location,” the company said. “We are currently updating our iOS app to do the same. We note that the attack in question requires a malicious actor to have physical access to a user’s device. In a situation like that, a user is susceptible to all sorts of threats, so we strongly advise safeguarding devices.”