安全研究人員加雷思·賴特“偶然發現”了一種讓一臺iOS或Android裝置認為自己登入了另一臺裝置的Facebook帳戶的方法。顯然，該方法也適用於Dropbox，即下一個Web報告。只要從你的iOS或Android裝置上複製一個“plist”並貼上到另一個裝置上的同一個目錄（使用像iExplorer這樣的免費Mac應用程式），任何人都可以輕鬆地讓Facebook和Dropbox（可能還有其他一些應用程式）認為他們就是你。就這麼簡單。Facebook就此事發表宣告：

Facebook's iOS and Android applicati*** are only intended for use with the manufacture provided operating system, and access tokens are only vulnerable if they have modified their mobile OS (i.e. jailbroken iOS or modded Android) or have granted a malicious actor access to the physical device. We develop and test our application on an unmodified version of mobile operating systems and rely on the native protecti*** as a foundation for development, deployment and security, all of which is compromised on a jailbroken device. As Apple states, "unauthorized modification of iOS could allow hackers to steal personal information ... or introduce malware or viruses." To protect themselves we recommend all users abstain from modifying their mobile OS to prevent any application instability or security issues.

雖然Facebook的宣告似乎暗示你可能需要執行一個越獄或根裝置來實現這一點，但事實並非如此。即使你的iOS裝置沒有被越獄，並且上面有密碼，你的訪問令牌和OAuth金鑰都是可用的，這意味著任何人只要將這些檔案複製到他們的裝置上，就可以進入你的Facebook帳戶，以及任何使用你的板載Facebook憑據的應用程式（比如DrawSomething）。

因此，如果一個有惡意意圖的人進入你的裝置，Facebook承認他們可以刷你的訪問令牌。怎樣？因為Facebook將這些代幣儲存在未加密的純文字檔案中。雖然小偷在檢視你的電子郵件、聯絡人和銀行賬戶資訊之前搶奪你的Facebook代幣的情況不太可能發生，但駭客攻擊仍然存在。Next Web的Matthew Panzarino使用位於Facebook和Dropbox中的plists成功複製了Wright的實驗，並指出即使你沒有丟失**，你仍然可能處於危險之中：

If a program was running on a public computer, or if someone had modified a public charging station to siphon off the plain-text .plist file, they could theoretically gain access to that information, whether you're jailbroken or not.

儘管這兩種情況似乎都不太可能發生，但賴特並沒有那麼確信。他對特尼卡說：

The scenario is something that happens a lot at universities and workplaces as users charge their devices.

賴特告訴ZDnet，Facebook目前正在進行修複，但和往常一樣，如果你的裝置被盜，一個簡單的遠端擦除將減輕任何丟失資料的擔憂。他在自己的網站上給出了最後一句警告：

The biggest risk is from malware and viruses designed to slurp data from devices plugged into PC's, so despite what any other articles say; jailbroken or not you ARE vulnerable!

目前，請密切關註可疑的充電站。

更新：Dropbox已就此事發表宣告：

Dropbox's Android app is not impacted because it stores access tokens in a protected location. We are currently updating our iOS app to do the same. We note that the attack in question requires a malicious actor to have physical access to a user's device. In a situation like that, a user is susceptible to all sorts of threats, so we strongly advise safeguarding devices.