Folks who use Facebook’s iOS app might want to make sure to stay away from using public computers and charging stations for a while. Apparently a serious security glitch has been discovered in the software that could give hackers access to your account.

Security researcher Gareth Wright published a blog post yesterday that has raised some serious questions about how iOS developers are handling saved values — logins, etc. It seems that some apps are saving this data in plain, unencrypted text files…

Using the free tool iExplorer (previously iPhone explorer) and a non-jailbroken iPhone, Wright was able to pull all kinds of account information from apps like Facebook and Draw Something, which was stored in unencrypted plist files.

“Popping into the Facebook application directory I quickly discovered a whole bunch of cached images and the com.Facebook.plist. What was contained within was shocking. Not an access token but full oAuth key and secret in plain text…

…Quick export and call to my good friend and local blogger Scoopz and I sent over my plist for him to try out. After backing up his own plist and logging out of Facebook he copied mine over to his device and opened the Facebook app.

My jaw droppped as over the next few minutes I watched posts appear on my wall, private messages sent, webpages liked and applications added.

Scoopz then opened Draw Something on his iPad which logged him straight into my account where he sent some pictures back to my friends.”

Before you panic, keep in mind that there is no evidence of anyone using this information maliciously. But the implications are certainly scary. Wright suggests that hackers could exploit this security hole with a hidden computer application that copies the plist files of any device you plug in, or a modified version of a utility like iExplorer with the added code.

Wright says that Facebook is aware of the vulnerability and working on a fix. But he points out that unless other developers start following suit, it’s only a matter of time before someone starts using this information for ill purpose. Yikes.


  • I don’t use the Facebook App. Its horrible.
    And since Its only a App exploit, you can still use Safari to go on Facebook.

    • Anonymous

      The question is, how far does this tactic extend? If you have your password saved in Safari on the mobile site of Facebook, could one simply copy your safari plist and replace it and get all your saved credentials?

      (insert obligatory “One does not simply walk into Mordor” meme picture here)

      • EpicFacepalm

        You obviously don’t know how Safari works.

    • Anonymous


  • Kok Hean

    I’ve known this since two years ago to troll my cousin.

  • Tommy L Neel

    Look, I understand that most software has exploits – that’s a given. But I find articles like this utterly useless (no offense to the author).

    Honestly, the VERY FEW PEOPLE who have this ability are not sitting & lurking around, just hoping you will charge your iPhone at a charging station so they can post on your wall. To me, this is like those articles that say, “We have found a planet that can support human life. AND it’s only 100 light years away!!” Then what’s the f-ing point?!!!!

    It just seems like a lot of work to post on someone’s wall and not sure anyone would care to do it. Maybe I’m wrong; I usually am.

  • So, everybody is safe unless someone connects to a public network? Huh, then I rather tether my iPhone network to my IPad, and the problem will be solved 🙂