Every day there is another security alert for an App or operating system; most go well reported or get over-hyped.  Today I spotted this one which piqued my interested.....

Your login token from your Andoird or iOS device can be copied and used to login as you on another phone.

Before we all delete the app from our device, let's set the ground rules....Someone needs to physically get hold of your phone (example, if you have lost it or it has been stolen).  If they do not have your phone this doesn't work.

When you login to Facebook (or most other Apps) it creates a token (stored in a file) which is used to authenticate you with the Apps' servers.  If someone can grab this token (file) and put it on another device they become you.  Simple.

Gareth Wright has discovered that anyone with access to your device can do this.  They plug your phone into a computer and use standard phone browser software to grab the file.  He has proved that the token can be copied and sent to someone else who can then place it on their phone and become you.

Facebook have responded saying this was only possible if the phone was jailbroken (hacked) -- as Gareth points out, the device is not jailborken.

The obvious solution is for Facebook to at least encrypt the token based on something unique to your device.  Apparently FB Towers are now working to solve this!

It is interesting to note that Dropbox has the same issue -- I am sure other apps will be identified soon.

I welcome comments on posts; it's your turn to have your say. You may login using a number of social networks, or simply type your comment then click on the Name field and tick the option to post as a Guest.

comments powered by Disqus

site by DAJ