A vulnerability has been discovered in the iOS applications of Facebook, LinkedIn and Dropbox that will allow the theft of sessions due to the simple fact of copy a configuration file from one device to another.
This can occur under various circumstances, the most obvious one being theft of the device which would compromise much more than access to an account. But it can also happen by connecting it to a shared computer that is infected or ready to copy the information automatically and even to a harmless charging station like those in airports and some public places.
The problem in iOS was discovered by Gareth Wright who published all the information on his blog after communicating with Facebook and simply receiving in response We are working to fix it. Thanks for contacting Facebook.
Days later Facebook posted on its security page that the vulnerability was only present on jailbroken computers, however it was immediately shown that it affected everyone… on the other hand, according to comments from some users, the same thing would be happening with the Facebook application for Android.
The same vulnerability in LinkedIn for iOS it was discovered by Scoopz, a friend of Gareth, who also published all the information on his blog. And the problem with Dropbox was detected by The Next Web, in this case the Android version is not vulnerable.
How to avoid copying those files on iOS?
When you are charging your device on an unknown computer or charging station, do not use it! That is, do not enter your password while connected.
When a locked iOS device connects to a computer for the first time, its files cannot be accessed until the user enters the unlock key. However, if connected to a computer and then unlocked, the system will be able to access the data on the device even if the password is changed by the user.
You can easily check it by connecting your iOS to your computer (where you have already used it) and you can access it without having to unlock it, even if you change the password. But if you connect it to a new PC, you will not be able to access it until you unlock it.
See also: Mobile and Twitter, when changing the password is not enough