Macworld reports today on a new security hole that has been found in Facebookâ€™s mobile apps on both iOS and Android that could be exploited by those wanting to steal your personal information. According to a report in The Register, Facebookâ€™s mobile app does not encrypt a userâ€™s login details. The hole was discovered by UK-based app developer Gareth Wright, who found the vulnerability while investigating app directories in his iPhone using a free tool. While looking around, he accidentally came across a Facebook access token in one of the games that he had installed on his iPhone. Wright copied the tokenâ€™s code, and then used it to get information from Facebook using Facebook Query Language. â€œSure enough, I could pull back pretty much any information from my Facebook account,â€ Wright said on his blog, meaning that anyone else could also do the same. Wright was then intrigued enough to further investigate the Facebook appâ€™s inner workings, and said that he was â€œshockedâ€ by what he found inside, which was essentially an unencrypted key giving anyone that had it total access to a Facebook account. â€œMy jaw dropped as over the next few minutes I watched posts appear on my wall, private messages sent, webpages liked and applications added,â€ explained Wright. After conducting even more thorough investigations into the security flaw, Wright informed Facebook of his discovery, and says that Facebook has told him that it is working on a fix. Wright has said though that even if Facebook does release a fix, users are still vulnerable to being attacked by a malicious person using the plain text token stored by developers in their gamesâ€™ plists.
Source: Facebook security hole found on iPhone, Android devices | Macworld