Facebook iOS application does not expire the user’s session upon logout. Facebook has fixed the vulnerability in the recent version – 5.0, so I am disclosing the complete details about the vulnerability in the below post. Facebook awarded me with 500$ bounty for reporting this vulnerability.
Facebook iOS application stores the user’s authentication token and the cookie values in a Plist file called com.facebook.Facebook.plist inside /Library/Preferences/ folder under application’s home directory. This is a plain text file and if someone gain access to the Plist file they can log into the Facebook application without supplying the username and the password. More details about the problem is documented at – garethwright blog & scoopz blog. A sample Plist content is shown in the below image.
Storing the authentication tokens in a Plist file itself is considered to be a big security problem. In addition to that Facebook application does not terminate the user’s session token on the server upon logout. Instead it only removes the authentication token stored in the client side Plist file. So after logout if we copy the old Plist file which had the user authentication token, it will log into the application.
iTunes also stores the plain text Plist files in the iPhone backups. So if someone gain access to your old iTunes backups, it is very easy to get hold of your Facebook account as the authentication token stored in the Facebook Plist file never get expired.
Steps to verify the vulnerability:
1. Log into the Facebook iOS application.
2. Connect the iPhone to workstation over USB. Install iExplorer on the workstation and open it.
3. With iExplorer navigate to Facebook application preferences directory and copy the com.facebook.Facebook.plist file to a local drive.
4. On the iPhone, logout from the Facebook app.
5. After logout, If you open the app it will prompt for the credentials (username & password). At this point, if you look at the com.facebook.facebook.plist it does not contain the authentication tokens.
6. From iExplorer, drag the copied com.facebook.Facebook.plist file to Facebook preferences folder.
7. Now if we open the Facebook iOS app, it will log you in without prompting for the credentials.
Sequence of steps listed above shows that clicking on the logout button does not terminate the user’s session on the Facebook server.
I have reported the problem to Facebook on 16-Jun-2012. On 26-Jun-2012 they replied me asking for more details. Funny thing is ‘They were unable to locate the Plist file” 
. Facebook has fixed the problem on 23-Aug-2012.
a
September 11, 2012 at 10:39 pm
i’m new to this sort of apps….does this app connects to a web server? or how does it work?
interesting anyway…..basically it’s similar to the web app vulns…probably the devs inspired from there:)))
Facebook的iOS客户端在本地保存session的漏洞 | SecMobi
September 23, 2012 at 9:11 am
[...] 研究人员发现Facebook的iOS客户端会被设备本地的Plist文件中保存用户上次登录时的认证token和cookie值。如果攻击者可以读取这些plist文件,获得这么缓存的值,从而登陆用户的Facebook账户。Facebook已经确认并修复了这一漏洞。详细情况可以看这里。 此条目是由 Claud 发表在 新闻 分类目录的。将固定链接加入收藏夹。 [...]