Facebook and Dropbox Apps for iOS Vulnerable to Credential Theft

by

Earlier this week, Gareth Wright disclosed his recent work showing that Facebook's app for iOS contains a security vulnerability that could allow malicious users to access login credentials held in a .plist file associated with the app. Obtaining a copy of that .plist file could allow a malicious users to automatically login in to the affected user's account on another device. The flaw reportedly also exists on Android devices.

Wright first discovered the issue while using iExplorer to browse files on his iPhone, discovering that the Facebook .plist file maintains the full oAuth key and secret needed to access his account in plain text. Working with a friend, Wright was able to demonstrate that simply moving that .plist file to another device granted that device access to his Facebook account.

After backing up his own plist and logging out of Facebook he copied mine over to his device and opened the Facebook app…

My jaw dropped as over the next few minutes I watched posts appear on my wall, private messages sent, webpages liked and applications added.

Scoopz then opened Draw Something on his iPad which logged him straight into my account where he sent some pictures back to my friends.

Wright outlines a number of different ways in which a malicious user could obtain the login credentials, including customized apps, hidden applications installed on public PCs, or hardware solutions such as a modified speaker dock that could siphon the data.

Facebook has issued a statement claiming that the issue only affects devices that have been jailbroken or lost, as it requires either installation of a custom app or physical access to the device. But as pointed out by Wright and confirmed by The Next Web, unmodified devices need not be lost in order to be targeted, as simply plugging in a device to a compromised computer or accessory would be sufficient to allow the data to be gathered.

ios dropbox plist
Dropbox .plist file seen through iExplorer (Source: The Next Web)

Furthermore, The Next Web has confirmed that the same issue affects Dropbox for iOS, similarly allowing a user to simply copy the .plist file from one device to another in order to gain access to the account. Given that two high-profile apps are vulnerable to credential theft, it seems likely that other services are also affected by the same issue.

As multiple reports note, there is no evidence that this method of collecting login credentials is actively being used in a malicious manner, and users can protect themselves for the time being by not connecting their devices to public computers or charging stations.

Update: While Wright's initial post claims that the issue affects "locked passcoded unmodified iOS Devices" when connected to a PC set up to capture the .plist file, The Next Web has now updated its report to indicate that in its testing the technique does not work on devices protected with a passcode.

Popular Stories

Apple Wallet ID Illinois

Apple Plans to Expand iPhone Driver's Licenses to These 7 U.S. States

Wednesday December 24, 2025 8:40 am PST by
In select U.S. states, residents can add their driver's license or state ID to the Apple Wallet app on the iPhone and Apple Watch, and then use it to display proof of identity or age at select airports and businesses, and in select apps. The feature is currently available in 13 U.S. states and Puerto Rico, and it is expected to launch in at least seven more in the future. To set up the...
Read Full Article48 comments
iPhone Top Left Hole Punch Face ID Feature Purple

iPhone 18 Pro Launching Next Year With These 12 New Features

Tuesday December 23, 2025 8:36 am PST by
While the iPhone 18 Pro and iPhone 18 Pro Max are not expected to launch for another nine months, there are already plenty of rumors about the devices. Below, we have recapped 12 features rumored for the iPhone 18 Pro models. The same overall design is expected, with 6.3-inch and 6.9-inch display sizes, and a "plateau" housing three rear cameras Under-screen Face ID Front camera in...
Read Full Article98 comments
maxresdefault

Where's the New Apple TV?

Monday December 22, 2025 11:30 am PST by
Apple hasn't updated the Apple TV 4K since 2022, and 2025 was supposed to be the year that we got a refresh. There were rumors suggesting Apple would release the new Apple TV before the end of 2025, but it looks like that's not going to happen now. Subscribe to the MacRumors YouTube channel for more videos. Bloomberg's Mark Gurman said several times across 2024 and 2025 that Apple would...
Read Full Article173 comments
maxresdefault

10 Mac Apps Worth Trying in 2026

Wednesday December 24, 2025 9:27 am PST by
2026 is almost upon us, and a new year is a good time to try out some new apps. We've rounded up 10 excellent Mac apps that are worth checking out. Subscribe to the MacRumors YouTube channel for more videos. Alt-Tab (Free) - Alt-Tab brings a Windows-style alt + tab thumbnail preview option to the Mac. You can see a full window preview of open apps and app windows. One Thing (Free) -...
Read Full Article97 comments
iOS 26

iOS 26.2 Adds These 8 New Features to Your iPhone

Monday December 22, 2025 8:47 am PST by
Earlier this month, Apple released iOS 26.2, following more than a month of beta testing. It is a big update, with many new features and changes for iPhones. iOS 26.2 adds a Liquid Glass slider for the Lock Screen's clock, offline lyrics in Apple Music, and more. Below, we have highlighted a total of eight new features. Liquid Glass Slider on Lock Screen A new slider in the Lock...
Read Full Article
airpods color prototypes

Apple Tested AirPods in Bright Colors

Saturday December 27, 2025 6:06 am PST by
Apple reportedly tested a version of the first-generation AirPods with bright, iPhone 5c-like colored charging cases. The images, shared by the Apple leaker and prototype collector known as "Kosutami," claim to show first-generation AirPods prototypes with pink and yellow exterior casings. The interior of the charging case and the earbuds themselves remain white. They seem close to some...
Read Full Article59 comments
iPhone Fold Vertical Feature

Why Apple's Foldable iPhone May Be Smaller Than Expected

Tuesday December 23, 2025 5:21 am PST by
Apple's first foldable iPhone, rumored for release next year, may turn out to be smaller than most people imagine, if a recent report is anything to go by. According to The Information, the outer display on the book-style device will measure just 5.3 inches – that's smaller than the 5.4-inch screen on the ‌iPhone‌ mini, a line Apple discontinued in 2022 due to poor sales. The report has led ...
Read Full Article204 comments
Foldable iPhone 2023 Feature Iridescent Search

Samsung Developing 'Wide Fold' With iPhone Fold-Like Design Ahead of Apple's 2026 Launch

Tuesday December 23, 2025 11:55 am PST by
Samsung is working on a new foldable smartphone that's wider and shorter than the models that it's released before, according to Korean news site ETNews. The "Wide Fold" will compete with Apple's iPhone Fold that's set to launch in September 2026. Samsung's existing Galaxy Z Fold7 display is 6.5 inches when closed, and 8 inches when open, with a 21:9 aspect ratio when folded and a 20:18...
Read Full Article92 comments
iPhone SE Cosmopolitan Clean

Apple Discontinued These 25 Products This Year

Wednesday December 24, 2025 7:24 am PST by
With the end of 2025 near, the time has come to look back at the devices and accessories that Apple discontinued throughout the year. Most of the products that were discontinued this year were simply replaced by a new model with an updated chip. However, the iPhone SE line was entirely discontinued when the iPhone 16e launched, and the iPhone Plus line is being phased out. Below, we have...
Read Full Article13 comments

Top Rated Comments

amarcus Avatar
amarcus
179 months ago
Sloppy programming. This sort of information should be stored in the Keychain!
Score: 12 Votes (Like | Disagree)
bse3 Avatar
bse3
179 months ago
This has been a good week for the Apple security team

What does the security of the Facebook and Dropbox Apps have to do with the Apple Security Team? This is about lazy developers, not utilizing stuff that is there.
Score: 9 Votes (Like | Disagree)
Asclepio Avatar
Asclepio
179 months ago
Score: 6 Votes (Like | Disagree)
invalidname Avatar
invalidname
179 months ago
Sloppy programming. This sort of information should be stored in Keychain!

Exactly. Apple makes it very clear that any sensitive information goes in the Keychain. It's not the easiest API in the iOS SDK, but anyone getting paid to write apps should be able to muscle through it.

The other thing that's obscene about the Facebook app for iOS is that it caches every element of every web page you visit with the app. Check your usage and Facebook could easily be gobbling multiple GB. Details on my blog: Facebook for iOS Pigs Out (http://www.subfurther.com/blog/2012/03/20/facebook-for-ios-pigs-out/)
Score: 6 Votes (Like | Disagree)
S.B.G Avatar
S.B.G
179 months ago
I certainly hope these companies fix this ASAP. I don't use Facebook, so I'm alright there, but I do use Dropbox.

Agreed with someone above that this is sloppy programming. It still amazes me in this day that folks don't consider security when they create apps and such that require authentication.
Score: 6 Votes (Like | Disagree)
TallManNY Avatar
TallManNY
179 months ago
Every Facebook user should assume that their account can, will be and possibly already is hacked. The service is not secure. Facebook, as a company from the top down, does not believe in security and privacy anyway. Even unhacked, much of your data goes to every app that you connect to. Who knows what group is behind those apps when you connect initially. How about three years later? A failed Apps last asset before that company closes up shop is probably to sell their Facebook accounts. Some dorky game that you played five times three years ago might have changed hands a dozen times since you clicked on it. Every new entity buying that App got access to your account. Do you think Facebook is policing those entities?

The correct way to deal with this is to not have anything confidential or private on Facebook. It is designed for public consumption, which is fun and useful. It is not designed as a private storage site or private means of communication. All messages sent on Facebook should be considered public by the senders. Use it the right way, and don't worry about it being hacked anymore than someone looking up your name in the phone book.

Now Dropbox, that is another issue. That should be decently private. I suspect this will get fixed though.
Score: 5 Votes (Like | Disagree)
Read All Comments