How to hack Facebook and other iOS apps using a plist extracted from iOS backups

Facebook_Hack_Plist_OAuth_Backup_scoopz_com

Summary

This post details the step-by-step method required to extract a plist/OAuth token from a standard (non encrypted) iTunes backup of any iOS device (iPod Touch, iPhone and iPad) and then copy this onto another device to automatically log in using those creditials.

NOTE: The process outlined below will not work if you have iTunes set to encrypt your iOS backups. This method was confirmed as working as of 10th April 2012 using the latest iOS xxx and current Facebook (v.4110.0), Dropbox (v1.4.6) and LinkedIn (v35) iOS apps. You do not need to have a jailbroken iPhone or iPad for this to work. I do not condone using the methods below to gain access to anybody’s accounts without their prior permission, I hold no responsibility if using the information in this post lands you in trouble with your ex partner,  current partner, your boss, the police, your kids, etc.

Background

In case you weren’t aware a security flaw was found by Gareth Wright earlier this week that allows your Facebook login key to be copied form one iOS device to another and essentially allow a 3rd party access to your account without needing to know your account email address or password. The same vulnerability has also been found in Dropbox, LinkedIn, Tumblr, Vimeo and 1Password and was also exploited by companies offering to buy youtube views. At the time of writing this post, Dropbox have said they are going to address the problem and 1Password have gone one step further and rewritten the way the user details are stored so this exploit cannot be used anymore and have submitted the update to Apple for approval before it’s released. Facebook appear to dismiss the security vulnerability saying it is only really an issue if your device is jailbroken or you use a 3rd party app to access the files on your iOS device. WRONG! If you have ever connected your iOS device to iTunes via USB and iTunes has taken a backup of your device then you are at risk (unless you tick the box to encrypt your backups, in which case rest easy and don’t worry about anything written below). The plist file that is the centre of this whole security flaw is copied to your computer via iTunes backup, no third party app here extracting files as Facebook suggests. Granted you need a third party app to access the file and place it onto another iOS device but crucially, the insecure file is copied to your computer during a normal iTunes backup.

What does this mean to most end users then? Probably not a lot to be honest. If you only ever connect your iPhone or iPad to your own personal computer then there’s nothing to worry about since the insecure file, locked away in the backup of your device, resides on your personal machine and nobody else can get to it easily. But in today’s modern and social society, the likelihood is that you have a computer you share with your wife, girlfriend, housemates, family or you have been at a friends house with a low battery and connected your iPhone to give it a little extra juice. This is where things become a little more vulnerable, if the computer you connected your device to made a backup of your device (remember a backup is always made when you are updating the iOS via iTunes) then the crucial plist file with your OAuth key in for apps such as Facebook, Dropbox, LinkedIn and more now reside on that computer in that backup.

So if you currently share a computer with your partner and want to log into Facebook as them, you can if you follow the steps below. Likewise, if your ex-partner used to connect their iPhone or iPad to your computer but left you several months ago for somebody hotter, then you too can dip into their old backup on your computer and log into Facebook and other apps as them. [Again I re-iterate the moral/legal implications of such actions]

Step by Step Guide

Ok so how can you hack into somebody else’s Facebook using a file from their iOS backup? You’ll need two pieces of sofware:
1 – to read the backup files an extract the plist file
2 – to allow you to drag and drop plist files onto your current iOS device

Let us pretend you want to gain access to your ex-girlfriend’s Facebook account and you know that she used to connect her iPhone or iPad to your computer. The first thing to do is open up iTunes and go to Preferences and select the Devices icon along the top which lists all device names that are backed up on your machine along with date of the backup.Facebook_Hack_Plist_OAuth_Backup_scoopz_com

Continue reading “How to hack Facebook and other iOS apps using a plist extracted from iOS backups”

Recent queries:

  • Software retrieve email from facebook
  • ScoopzBlog New Reviews GuidesandSuuport
  • where does iphone store facebook password
  • facebook app get password
  • recover facebook app password on iphone
  • yhsm-inucbr_001

LinkedIn iOS app also vulnerable to plist identity theft

Following the recent findings by Gareth Wright about Facebook iOS app storing authentication keys in a plain text file that is easily accessible even on non-jailbroken devices (allowing it to simply be copied to another device to grant access to that account) we have just discovered the same security flaw is also present in the latest version of LinkedIn iPhone app and you can also easily extract these plist files from iTunes backups.

Using a free app (in this case iExplorer) to browse the contents of your iPhone if you navigate to Apps/LinkedIn/Library/Preferences you will find a file named com.linkedin.LinkedIn.plist and this is the file in question.

Simply copying the com.linkedin.LinkedIn.plist file from one device to another and then relaunching the LinkedIn app will automatically log the user is using the account details from the cloned plist file.

I “nabbed” a copy of Gareth Wright’s LinkedIn plist (he emailed it to me) and dropped it onto my own non-jailbroken iPhone and relaunched LinkedIn.

I was instantly into Gareth’s LinkedIn Profile, I could browse all his personal messages, invitations, contacts, edit his profile and even sent myself an invite to join his network! In my opinion, they should spend a little less on app marketing and more on security developments.

Here was my LinkedIn screen prior to copying the plist file over

and here it was after copying the plist and relaunching the app. At no point did it prompt me to re-enter my password or authenticate

I was able to navigate his LinkedIn profile without any issues, view all his messages, invitations, connections and even created an invitation and sent it to myself.

and here is the invitation I received

Best security practices for your iPhone/iPad

Basic Security – Everybody should at least do this

Turn on passcode lock and set a 4 digit numeric pin number.

Set it to only prompt for the pin number after 1 hour of inactivity.

Medium Security – For those who like to be extra careful

Turn off simple pascode and opt for a more secure alphanumeric password.

Set it to prompt for the password immediately so every time you pick up the device it prompts you for a password.

Turn restrictions on and go to location services, click find my ipad and make sure “status bar icon is off” so tell tale gps arrow doesnt show if you need to track your iOS device.

High Security – For the über paranoid

As per medium security above for the passcode.

Turn on Erase Data so if somebody tried to use the wrong passcode 10 times it wipes your device.

Turn Restrictions on and go to location section, make sure all the apps you use that need location services are turned on (disable any apps you dont think need to know you location)

Go to system services and disable Setting time zone, location based iAds, Diag and Usage (they just waste battery for now reason). Make sure status bar icon for system services is also OFF.

Make sure find ipad is ON and status bar icon is OFF.

and then select Dont allow changes. this greys out all location services so if your ipad ends up in the wrong hands and they took it from you whilst you were logged in (ie they dont need to get past your passcode). However, a clever thief who’s managed to take your ipad from your hands whilst you were logged would first try and disable location services, once they realise they cant the will then jump to deleting your iCloud or MobileMe account so you can’t use find my ipad, so you’ll want to stop them from being able to do that.

Go to restrictions–>Accounts–>click Don’t Allow Changes and now all the account options are greyed out.

This next step will seem non-sensical but if you want to make sure you can track your iOS device and get it back then make sure Erase data after 10 failed passwords is turned OFF. If it’s turned on and they try 10 passwords your iOS device wipes itself make it like a brand new iPad for them to play with and no way for you to track it.