iPhoneForums.Net News Team
- Jun 18, 2010
- Reaction score
Macworld reports today on a new security hole that has been found in Facebooks mobile apps on both iOS and Android that could be exploited by those wanting to steal your personal information. According to a report in The Register, Facebooks mobile app does not encrypt a users login details. The hole was discovered by UK-based app developer Gareth Wright, who found the vulnerability while investigating app directories in his iPhone using a free tool. While looking around, he accidentally came across a Facebook access token in one of the games that he had installed on his iPhone. Wright copied the tokens code, and then used it to get information from Facebook using Facebook Query Language. Sure enough, I could pull back pretty much any information from my Facebook account, Wright said on his blog, meaning that anyone else could also do the same. Wright was then intrigued enough to further investigate the Facebook apps inner workings, and said that he was shocked by what he found inside, which was essentially an unencrypted key giving anyone that had it total access to a Facebook account. My jaw dropped as over the next few minutes I watched posts appear on my wall, private messages sent, webpages liked and applications added, explained Wright. After conducting even more thorough investigations into the security flaw, Wright informed Facebook of his discovery, and says that Facebook has told him that it is working on a fix. Wright has said though that even if Facebook does release a fix, users are still vulnerable to being attacked by a malicious person using the plain text token stored by developers in their games plists.
Source: Facebook security hole found on iPhone, Android devices | Macworld