Security Flaw in Facebook for Android and iOS Devices is Self-Defeating

A security flaw has been discovered in Facebook for iOS and Android gadgets where one's Facebook identity can be stolen.

According to ZDNET, Gareth Wright, a UK-based app developer for Android and iOS has exposed a security hole in Facebook's mobile application which can be utilised to steal one's personal information.

The Facebook's mobile apps do not encrypt the login records, meaning the information can be easily swiped via a USB connection or by using a malicious code.

According to Gareth Wright, the hacker can take the property list file which stores the user settings. After backup of one's own plist, he/she can copy the victim's plist to his device. The hacker can then log into the victim's Facebook account and steals the user's personal information or use the apps.

Gareth Wright discovered the security hole when he started poking around in a few applications directories by using iexplorer and stumbled into a plain text Facebook access token in the popular Draw Something by OMG POP.

Draw Something requests offline access to one's account, so Wright copied the hash and tried testing a few FQL queries. Possibly, Wright could pull back pretty much any information from his Facebook account.

The tokens which will run out after 60 days, will be pretty enough for any hacker to steal the important and private credentials of the user. In addition, Wright discovered a bunch of cached images and the com.Facebook.plist. It contained not only the access token but full oAuth key and secret key in plain text.

Gareth Wright has stated five reasons for the attack:

[1] A hidden application which runs on shared PCs, any device which is plugged in to charge will have the plist copied.

[2] A recompile of an open source iPhone explorer like program with the extra code.

[3] A saved game editing tool with the additional code.

[4] A credit card sized hardware solution which just requires two seconds to copy the plist must have physical access to an iDevice.

[5] A modified speaker dock.

"Facebook are aware and working on closing the hole, but unless the app developers follow suit and start the process of encrypting 60 day access token which is supplied by Facebook," said Gareth Wright.