Draw Nothing: Popular app opens up your Facebook to data theft
50 million people downloaded OMGPOP's Draw Something over the past two months, and it's at the top of the App Store charts. But for those of us who connected our Facebook accounts to the app, there's an even bigger problem: it stores a Facebook access token in plain text.
Want that in plain English? A hacker gets this little file, and he's got access to your private data.
The issue was discovered by Web developer Gareth Wright while investigating how mobile application developers handle security. He found that due to Draw Something requesting offline access to your account, he was able to perform a few FQL (Facebook's version of SQL, a database query language) queries and pulled private information from his Facebook account.
The access tokens are good for 60 days, but still cause for concern. "Aside from that a simple .net tool could easily snaffle this info and grab a fair whack of confirmed email addresses and marketing info", Wright mused in a blog post.
Users of both stock and jailbroken iPhones are at risk for this security issue. Those who have jailbroken are more at risk due to the security measures of the device being compromised, and the fact that jailbroken apps do not have as much oversight for malicious code as apps downloaded through the App Store do. Code could be written to find this access token and send it to a hacker, who then would be able to do the same things Wright did.
Draw Something is not the worst offender by far: that honor actually goes to Facebook itself. Wright found stored in the data files of the social networking company's app not only the same access token, but an authorization key which is the key to log into your account. This file is also in plain text, and can be used on another device to login to your account and post as you.
Unlike the desktop version, Facebook does not throw roadblocks when your account is accessed from a location it deems suspicious. Thus, with an iOS device (or even an emulator), your account is an open book.
Facebook confirms it is aware of the issue, but only says "we are working to fix it". No further information is given as to when the hole might be closed. Wright has several proof-of-concept exploits already produced, and has been able to collect over 1,000 vulnerable access tokens and authorization keys.
"Unless app developers follow suit and start encrypting the 60 day access token Facebook supplies, it’s only a matter of time before someone starts using the info for ill purpose…if they aren’t already", he writes.