The problem is that Facebook’s app for iOS and Android devices doesn’t encrypt your login credentials, making them a sitting duck for bad apps or a poisoned USB connection.
“A rogue application, or two minutes with a USB connection, are all that’s needed to lift the temporary credentials from either device,” Bill Ray wrote in The Register.
The security hole was discovered by Gareth Wright, a UK-based developer of apps for iOS and Android devices.
Wright, writing in a blog, says he discovered the flaw while poking around some of the application directories in his iPhone with a free tool for doing that. In the course of his prodding, he discovered a Facebook access token in one of the games on his phone.
After copying the token’s code, he used it to extract information from Facebook using the Facebook Query Language. “Sure enough, I could pull back pretty much any information from my Facebook account,” he wrote. And if he could do that, anyone who snatched one of those tokens could do it, too.
Wright’s experience with the token stirred his curiosity about the Facebook app itself. Poking around in that app’s directory, he observed, “What was contained within was shocking.” Inside the app’s plist—a plain text file containing a user’s settings—there was an unencrypted key that gave whoever had it full access to a Facebook account.
As an experiment, Wright sent his plist to a friend. The friend substituted Wright’s plist for his own.
“My jaw dropped as over the next few minutes I watched posts appear on my wall, private messages sent, webpages liked and applications added,” Wright wrote.
Ever the scientist, Wright decided to illustrate how a hacker could harvest plists from phones. He wrote some code that could be used to infect PCs, software, even a speaker dock. The code countered the plists of any device it came in contact with—although it could be easily tweaked to copy the lists.
Over the course of a week, more than 1,000 plists were located and counted, Wright wrote.
The developer has informed Facebook of the flaw and the social networking giant told him it is working on a fix. But, he noted, even if Facebook plugs the hole in its app, its members still remain vulnerable to an attack by using the plain text token that many developers are storing in their games’ plists.
Earlier this year, the Facebook Android app was cited as one of several that spied on SMS messages created on the phones it was installed on. Facebook denied that accusation. Although its app requests permissions to receive, process and write text messages as well as read those communications, the app doesn’t use those permissions, Facebook said.