How to hack Facebook and other iOS apps using a plist extracted from iOS backups

Facebook_Hack_Plist_OAuth_Backup_scoopz_com

Summary

This post details the step-by-step method required to extract a plist/OAuth token from a standard (non encrypted) iTunes backup of any iOS device (iPod Touch, iPhone and iPad) and then copy this onto another device to automatically log in using those creditials.

NOTE: The process outlined below will not work if you have iTunes set to encrypt your iOS backups. This method was confirmed as working as of 10th April 2012 using the latest iOS xxx and current Facebook (v.4110.0), Dropbox (v1.4.6) and LinkedIn (v35) iOS apps. You do not need to have a jailbroken iPhone or iPad for this to work. I do not condone using the methods below to gain access to anybody’s accounts without their prior permission, I hold no responsibility if using the information in this post lands you in trouble with your ex partner,  current partner, your boss, the police, your kids, etc.

Background

In case you weren’t aware a security flaw was found by Gareth Wright earlier this week that allows your Facebook login key to be copied form one iOS device to another and essentially allow a 3rd party access to your account without needing to know your account email address or password. The same vulnerability has also been found in Dropbox, LinkedIn, Tumblr, Vimeo and 1Password. At the time of writing this post, Dropbox have said they are going to address the problem and 1Password have gone one step further and rewritten the way the user details are stored so this exploit cannot be used anymore and have submitted the update to Apple for approval before it’s released. Facebook appear to dismiss the security vulnerability saying it is only really an issue if your device is jailbroken or you use a 3rd party app to access the files on your iOS device. WRONG! If you have ever connected your iOS device to iTunes via USB and iTunes has taken a backup of your device then you are at risk (unless you tick the box to encrypt your backups, in which case rest easy and don’t worry about anything written below). The plist file that is the centre of this whole security flaw is copied to your computer via iTunes backup, no third party app here extracting files as Facebook suggests. Granted you need a third party app to access the file and place it onto another iOS device but crucially, the insecure file is copied to your computer during a normal iTunes backup.

What does this mean to most end users then? Probably not a lot to be honest. If you only ever connect your iPhone or iPad to your own personal computer then there’s nothing to worry about since the insecure file, locked away in the backup of your device, resides on your personal machine and nobody else can get to it easily. But in today’s modern and social society, the likelihood is that you have a computer you share with your wife, girlfriend, housemates, family or you have been at a friends house with a low battery and connected your iPhone to give it a little extra juice. This is where things become a little more vulnerable, if the computer you connected your device to made a backup of your device (remember a backup is always made when you are updating the iOS via iTunes) then the crucial plist file with your OAuth key in for apps such as Facebook, Dropbox, LinkedIn and more now reside on that computer in that backup.

So if you currently share a computer with your partner and want to log into Facebook as them, you can if you follow the steps below. Likewise, if your ex-partner used to connect their iPhone or iPad to your computer but left you several months ago for somebody hotter, then you too can dip into their old backup on your computer and log into Facebook and other apps as them. [Again I re-iterate the moral/legal implications of such actions]

Step by Step Guide

Ok so how can you hack into somebody else’s Facebook using a file from their iOS backup? You’ll need two pieces of sofware:
1 – to read the backup files an extract the plist file
2 – to allow you to drag and drop plist files onto your current iOS device

Let us pretend you want to gain access to your ex-girlfriend’s Facebook account and you know that she used to connect her iPhone or iPad to your computer. The first thing to do is open up iTunes and go to Preferences and select the Devices icon along the top which lists all device names that are backed up on your machine along with date of the backup.Facebook_Hack_Plist_OAuth_Backup_scoopz_com

Hopefully your ex-girlfriend changed the name of her device to make identification in the list easier, but if you just have several just named iPhone 4 or iPad then you may have to try with all of them one at a time. In my case I’ll be demonstrating it with my girlfriend’s backup (she’s not an ex and I have her permission), her name is Kim and you can see a backup of her iPhone and iPad from April 2012 but these could be considerably older depending on when the device was last connected.

Right so now you know you’ve got a backup from your exes phone what next? You need to install an app to be able to extract files from inside the backup files created by iTunes, there’s a lot of software around that can do this but the ones listed below are not only FREE they are easy to use:

Facebook_Hack_Plist_OAuth_Backup_scoopz_comI don’t have access to a Windows machine to get screen shots for the next step but I’m sure it’s pretty similar to the OS X method. Open up either iPhone Backup Browser or iPhone Backup Extract. When you open up iPhone Backup Extractor on OS X it automatically finds the default folder that iTunes backs the iOS devices into which is nice but in case you are using a different app or iPhone Backup Browser doesn’t find the folder automatically here is where you can normally find the backup files:

Windows XP
C:\Documents and Settings\user\Application Data\Apple Computer\MobileSync\Backup

Windows Vista& Windows 7
C:\Users\user\AppData\Roaming\Apple Computer\MobileSync\Backup

OS X
your_users_home_folder/Library/Application Support/MobileSync/Backup/

Facebook_Hack_Plist_OAuth_Backup_scoopz_com

Facebook_Hack_Plist_OAuth_Backup_scoopz_com

Select the backup you want to extract files from, in this case Kim iPhone and then hit choose.

Facebook_Hack_Plist_OAuth_Backup_scoopz_com

Now you will see a list of applications that were present on that device at the time the backup took place. Look for the one that belongs to the app you want to “hack”, in this case lets try Kim’s FaceBook app so I scroll down until I see com.facebook.Facebook and hot Extract.

Facebook_Hack_Plist_OAuth_Backup_scoopz_com

You will now be prompted for somewhere to extract the data to. I just created a temporary folder called Test in my Documents and pointed it at that.

This then extracts the com.facebook.Facebook plist file to your local computer. Now go and open the folder where you just extract the com.facebook.Facebook file to.

Facebook_Hack_Plist_OAuth_Backup_scoopz_com

Facebook_Hack_Plist_OAuth_Backup_scoopz_com

If you look in com.facebook.Facebook/Library/Preferences you should hopefully see a com.facebook.Facebook.plist. This is the file that has the key to get into their Facebook profile on any iOS device.

You are now done with the iPhone Backup Explorer/Extractor application and can close it.

Important step: You need to completely exit Facebook app on your iOS device before proceeding, logging out of Facebook via the app is not enough. You actually need to properly quit the app. Simple way? Restart your iOS device. Method two, press the home button to show the home screen. Now double tap the home button to launch the recent apps bar and tap and hold on the Facebook icon in the bottom bar until they all wobble, click the delete icon on the top left to quit Facebook background app.

The next step is to copy the extracted plist file onto your current device. The following steps are the same whether you are using Windows or OS X.

Download iExplorer for Windows, Linux and OS X here http://www.macroplant.com/iexplorer/ it’s FREE and a very handy app to have on your computer.

 

Once you have downloaded iExplorer connect your current iPhone/iPad to your computer via USB and quit iTunes if it automatically pops up and launch iExplorer. Your iPhone/iPad should show up in iExplorer and allow you to browse the contents of your device.

Facebook_Hack_Plist_OAuth_Backup_scoopz_com

Navigate to the same folder on your device that you just extracted the plist file from. In the case of Facebook this is Apps/Facebook/Library/Preferences and you should see your plist file in there. For good measure you want to take a backup of your plist just so you can replace it when you are done. I copied my plist to my downloads folder temporarily.

Facebook_Hack_Plist_OAuth_Backup_scoopz_com

Next open up the folder where you saved the extracted plist from (Documents/Test in my example) and drag and drop the plist file onto the iExplorer window so it drops into the Preferences folder right on top of your existing com.facebook.Facebook.plist.

Facebook_Hack_Plist_OAuth_Backup_scoopz_com

You should be prompted to replace an existing file. Click OK.

That’s it, done! Now go to your iPhone or iPad and relaunch Facebook and basque in your evilness as you are automatically logged in as your ex girlfriend, wife, brother, sister, boss etc  to do as you please.

Disclaimer: This post is purely for informational purposes for those who want to see how the process works and how vulnerable apps such as Facebook are due to sloppy programming. If you want to protect yourself from having this happen to you then make sure you tick the option in iTunes to encrypt your iOS backups and avoid connecting your iOS device to any computers other than your own until the app developers re-write their apps to use keychain stores.

Notes:

  • You might be able to remove the access token via Facebook web page but the easiest way to ensure that your account cannot be accessed using this method is to simply change your facebook password. This will instantly render all old plist files useless.
  • Facebook_Hack_Plist_OAuth_Backup_scoopz_comNormally when you install Facebook iOS app and log in for the first time from a new device you get sent an email saying somebody has accessed your account which would obviously alert the person who you are logging in as to your actions, however, this alert is not sent when you access an account using a copied plist file so nothing to worry about there then. Here is an email I get if I log into my Facebook account on a new iOS device I’ve not logged in from before
  • Once again note that the unsuspecting person who’s plist file you are extracting from the backup knew nothing about this. They did not have a jailbroken iOS device nor did they use a 3rd party app they simply connected their iOS devices to a computer and iTunes made a backup of that device.

 

 

Thanks to  Gareth Wright for finding the plist vulnerabilities and Satish B for his guide outlining how to extract files from iTunes iOS backups.

Recent queries:

  • where does iphone store facebook password
  • ScoopzBlog New Reviews GuidesandSuuport
  • facebook app get password
  • recover facebook app password on iphone
  • extract facebook password from iphone backup
  • hack facebook with iphone

20 Responses to “How to hack Facebook and other iOS apps using a plist extracted from iOS backups”

  1. vasiloui says:

    i manage to do it only if the app was open and logged in as me…. i can see the other news feed roam into others friends etc…. but there that says the name of the owner it keeps says my name….. i can see my notifications and messages but roam the facebook as the victim….why? how it can be fixed and get full access???

  2. Three Areas to Test when Assessing Mobile Applications | IT Security says:

    [...] The author likes to call this a “plist hijack attack”.  Simply move the plist file to another mobile device and you are logged in as that user.  As for tools to use when looking for file system vulnerabilities you should really check out the forensic approach that John Sawyer from InGuardians has developed.  It’s my preferred method for seeing how the app writes to the file system and saves lots of time over creating a dd image. [...]

  3. How to Cheat iPhone Apps and Games (TinyTower, etc) - Just2us says:

    [...] is a really awesome tool for hackers. You could use it to hack most apps, including Facebook , Scramble with Friends, [...]

  4. Stephen A. Balaban says:

    One thing to note is that this requires an iPhone backup; which would imply physical access to some degree. If you don’t have physical security, you can’t expect to any security. Just don’t leave backups of your iPhone on random computers :).

  5. Sajid says:

    Pls help

    I have strong suspicion my wife Is cheating.
    I have no way of finding out.
    She uses wats app frequently and msgs get deleted both on whats app and her iPhone too.
    I have implied I suspect her but
    Ofcourse she says I’m nuts and I have nothing better
    To do.
    My mind is really messed up – I
    JUST WANT TO KNOW THE TRUTH.
    After reading your article on Hacking the Facebook account.
    I urge u to plsss help me access her iPhone.
    I no longer touch it as it just causes
    Arguments and fights :(
    CAN You help my Friend.?

    I used to be an extrovert and a

  6. col says:

    Having done this as a test, it does load the other profile on the new device but does not bypass the password. You still need the password to log?

  7. InfoSec Resources – iPhone Forensics—Analysis of iOS 5 backups: Video says:

    [...] supplying the username and password. More details about Facebook plist hijacking are documented at: http://blog.scoopz.com/2012/04/11/how-to-hack-facebook-dropbox-linkedin-and-other-ios-apps-using-a-p…Forensic analysis of backup files does not compromise the content on a live device. As a result of [...]

  8. Marc says:

    Any chance i can get someones password if they have logged in using facebook app on my ipad? Thanks

  9. iPhone Forensics – Analysis of iOS 5 backups : Video « SECURITYLEARN says:

    [...] Example: Facebook and LinkedIn iPhone applications store the authentication tokens and cookie values in plist files on the device. During backup, iTunes copies the plist files on the device to the backup folder. In such cases, analyzing the backup files gives access to the authentication tokens which in turn allows to log into the application without supplying the username and password. More details about Facebook plist hijacking are documented at – soopz blog [...]

  10. cnr. says:

    Tried with iOS 5.1.1 and Facebook 4.1.1, no success. Security update?

  11. iPhone Forensics – Analysis of iOS 5 backups : Video says:

    [...] Example: Facebook and LinkedIn iPhone applications store the authentication tokens and cookie values in plist files on the device. During backup, iTunes copies the plist files on the device to the backup folder. In such cases, analyzing the backup files gives access to the authentication tokens which in turn allows to log into the application without supplying the username and password. More details about Facebook plist hijacking are documented at – soopz blog [...]

  12. Facebook iOS application does not expire user's session on logout says:

    [...] and the password. More details about the problem is documented at – garethwright blog & scoopz blog. A sample Plist content is shown in the below [...]

  13. G says:

    This would be great, if only it worked…
    For me this only seems to load their login email address, but still prompts for the password. Has this been fixed by facebook now?

    Also is it possible to do something similar with a yahoo/hotmail account?

    Thanks.

  14. Kelly says:

    I’m not sure when the last time the linked programs were updated, so I’d also like to point out some more software to assist in reading iPhone backup data. Decipher Backup Browser (http://deciphertools.com) also translate the hashed (gibberish) backup file names into a readable structure, as well as translate some of the frequently-requested data (contacts, notes, voice memos) into a nicely viewable format.

    I hope this helps someone!

  15. user says:

    Please check this..

    http://www.securitylearn.net/2012/06/21/facebook-ios-app-does-not-expire-the-session-on-logout/

    some one used your finding to get 500$..

  16. Alessandra Vitali says:

    Is it possible to do the same procedure with Skype..?

    Thank You

  17. noim says:

    iphone 5 to iphone 4s doesn’t work..

  18. girl says:

    i did all steps, drag and drop also.
    but when i go into the app after doing all steps ans reopen it i just see my own profile. what went wrong

  19. Jen Miller says:

    Help. This site is awesome. I did everything and got the file onto the apple device. when I open up the facebook app it shows my husband’s profile (id) which i wanted, but asks me for a password. What did I do wrong?

  20. Question says:

    Is there a way to use the plist to authenticate on osx? maybe extract the id or something to be able to use with cookie editor for firefox?

    tldr: can i use the plist to access facebook from desktop?

Leave a Reply

Protected with IP Blacklist CloudIP Blacklist Cloud