Facebook iOS application does not expire the user’s session upon logout. Facebook has fixed the vulnerability in the recent version – 5.0, so I am disclosing the complete details about the vulnerability in the below post. Facebook awarded me with 500$ bounty for reporting this vulnerability.
Facebook iOS application stores the user’s authentication token and the cookie values in a Plist file called com.facebook.Facebook.plist inside /Library/Preferences/ folder under application’s home directory. This is a plain text file and if someone gain access to the Plist file they can log into the Facebook application without supplying the username and the password. More details about the problem is documented at – garethwright blog & scoopz blog. A sample Plist content is shown in the below image.
Storing the authentication tokens in a Plist file itself is considered to be a big security problem. In addition to that Facebook application does not terminate the user’s session token on the server upon logout. Instead it only removes the authentication token stored in the client side Plist file. So after logout if we copy the old Plist file which had the user authentication token, it will log into the application.
iTunes also stores the plain text Plist files in the iPhone backups. So if someone gain access to your old iTunes backups, it is very easy to get hold of your Facebook account as the authentication token stored in the Facebook Plist file never get expired.
Steps to verify the vulnerability:
1. Log into the Facebook iOS application.
2. Connect the iPhone to workstation over USB. Install iExplorer on the workstation and open it.
3. With iExplorer navigate to Facebook application preferences directory and copy the com.facebook.Facebook.plist file to a local drive.
4. On the iPhone, logout from the Facebook app.
5. After logout, If you open the app it will prompt for the credentials (username & password). At this point, if you look at the com.facebook.facebook.plist it does not contain the authentication tokens.
6. From iExplorer, drag the copied com.facebook.Facebook.plist file to Facebook preferences folder.
7. Now if we open the Facebook iOS app, it will log you in without prompting for the credentials.
Sequence of steps listed above shows that clicking on the logout button does not terminate the user’s session on the Facebook server.
I have reported the problem to Facebook on 16-Jun-2012. On 26-Jun-2012 they replied me asking for more details. Funny thing is ‘They were unable to locate the Plist file” :). Facebook has fixed the problem on 23-Aug-2012.