A serious bug was discovered recently in the Facebook and Dropbox applications on iOS and Android that could cause users to have their private information stolen. A malicious individual could install a program on a public computer or charging station to grant access to the devices and pull private data from users of these apps.
The flaw with these applications is that they store your private data as plain text, without any encryption. If the data is accessed, it’s an open book for the individual to read and do with as they choose.
Facebook issued a statement claiming that this would be a problem only for devices with modified firmware, but that was quickly proven to be untrue. As it turns out, any device that is connected to a public machine could have data stolen, regardless of whether the firmware is modified or not. Most of the testing of this flaw has taken place on iOS devices, but many people are reporting that it is an issue on Android as well.
When connecting your device to a public computer or charging station, something to keep in mind is that this file can be stolen even if your device has a pass-code lock on it. Facebook is aware of the issue and should be working on a fix.
Dropbox also stated (according to a spokesperson for Dropbox):
“Dropbox’s Android app is not impacted because it stores access tokens in a protected location. We are currently updating our iOS app to do the same. We note that the attack in question requires a malicious actor to have physical access to a user’s device. In a situation like that, a user is susceptible to all sorts of threats, so we strongly advise safeguarding devices.”
If you are a user of the Facebook or Dropbox apps, you do not need to worry. Simply refrain from connecting your devices to public machines until updates for the apps are released.