Macworld reports today on a new security hole that has been found in Facebook’s mobile apps on both iOS and Android that could be exploited by those wanting to steal your personal information. According to a report in The Register, Facebook’s mobile app does not encrypt a user’s login details. The hole was discovered by UK-based app developer Gareth Wright, who found the vulnerability while investigating app directories in his iPhone using a free tool. While looking around, he accidentally came across a Facebook access token in one of the games that he had installed on his iPhone. Wright copied the token’s code, and then used it to get information from Facebook using Facebook Query Language. “Sure enough, I could pull back pretty much any information from my Facebook account,” Wright said on his blog, meaning that anyone else could also do the same. Wright was then intrigued enough to further investigate the Facebook app’s inner workings, and said that he was “shocked” by what he found inside, which was essentially an unencrypted key giving anyone that had it total access to a Facebook account. “My jaw dropped as over the next few minutes I watched posts appear on my wall, private messages sent, webpages liked and applications added,” explained Wright. After conducting even more thorough investigations into the security flaw, Wright informed Facebook of his discovery, and says that Facebook has told him that it is working on a fix. Wright has said though that even if Facebook does release a fix, users are still vulnerable to being attacked by a malicious person using the plain text token stored by developers in their games’ plists.
Source: Facebook security hole found on iPhone, Android devices | Macworld