TUCoPS :: Phreaking Cellular - Major Manufacturers :: bu-1781.htm

Session Hijacking iPhone Facebook Application ver 3.1.2
e-Sentinel Security Advisory - Ref: Session Hijacking iPhone Facebook Application ver 3.1.2
e-Sentinel Security Advisory - Ref: Session Hijacking iPhone Facebook Application ver 3.1.2



Tested on=0D
iPhone firmware version 3.1.2=0D
Facebook App version 3.1.2=0D
=0D
Impact=0D
It is possible to usurp valid session IDs in order to gain unauthorised access to facebook profiles. At greatest risk are those handset that have been jailbroken.=0D
=0D
Description=0D
Using known vulnerabilities and exploits to gain remote or direct access to the handset's file system, it is possible to steal the files:=0D
=0D
/private/var/mobile/Applications//Library/Preferences/com.facebook.Facebook.plist=0D
=0D
/private/var/mobile/Applications//Library/Cookies/Cookies.plist=0D
=0D
Once these files are copied and installed on to a separate handset, the attacker is able to use the victim's Facebook account unhindered.=0D
=0D
Exploit=0D
Known vulnerabilities exist in order to gain access to the iPhone's file system, after which no exploit code is required.=0D
=0D
Workaround/Fix=0D
No known fix is known. To lessen the risk of this occurring, users should avoid Jailbreaking their handsets.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH