Software & Apps

Login security fail: Facebook, LinkedIn, Dropbox apps all store passwords in plaintext

Posted on by

LinkedIn and Facebook have previously been hit with password security breaches, and now Dropbox has been having its own week of security woes. This seems to be prompting many of the company’s users to utter the following:

It seems like lately there’s all kinds of reports about apps and websites that are not taking password security seriously. There was the Week of Leaks not too long ago, where hackers hit several popular websites and posted password dumps for millions of users.

To those of us in the security industry, password security seems like Security 101, but many companies are still not getting this right. It’s so simple: Do not store or transmit passwords in plain text. Ever. Seriously.

The latest apps to be hit with this are LinkedIn, Facebook and Dropbox on iOS devices. If I were inclined towards betting, I would put my money on these not being the only three major vendors to be named. Your password can be copied either if someone gets physical access to your device or if you plug it into a public computer. This works on any iOS device, not just jailbroken ones. To minimize this threat, use the password lock option and do not plug your iDevice into any public computer. Both Facebook and Dropbox will have updates for this shortly, so keep an eye out for that.