Lately a security fault has been discovered in Facebook‘s mobile apps that can be easily exploited by hackers to retrieve your personal information about anyone. Facebook’s apps that are made for iOS and android devices don’t encrypt your login information that makes it highly insecure for the users.
According to Bill Ray while addressing to The Register, “A rogue application, or two minutes with a USB connection, are all that’s needed to lift the temporary credentials from either device,”
This Security threat was discovered by a UK based developer of iOS and android devices, Gareth Wright. Who claims to find out about this flaw while playing through some of the application directories in his iPhone using a free tool for doing that. During this he found a Facebook access token in one of the games on his iPhone.
He copied the code from the token and used it to obtain information from Facebook through Facebook Query Language. Wright wrote, “Sure enough, I could pull back pretty much any information from my Facebook account,” The problem stood if he could access the information then anyone who could get hands over the tokens could have full access to personal information of a Facebook account.
This new discovery increased his curiosity to further explore the Facebook app. Going through that app’s directory he was shocked to know what it contained inside!
Inside the app’s property list (also known as plist that’s a plain text file containing a user’s settings) There was an unencrypted key that gave an open door to completely access the Facebook account.
To further explore it Wright sent his plist to his friend as an experiment. The friend substituted Wright’s plist for his own and results were surprising.
“My jaw dropped as over the next few minutes I watched posts appear on my wall, private messages sent, webpages liked and applications added,” Wright wrote.
Wright decided to demonstrate how hackers could acquire plists from the phone. He wrote some codes that could infect PCs, software or even a speaker dock and the codes would obtain the plist of any device it came in contact with (although it could be easily adjusted to copy the lists). And within a week more than 1000 plists were found and counted according to Wright.
Facebook has been informed by the developer about the security flaw and have been notified that Facebook team has been working on fixing this issue. But he also said that even if Facebook fixes its app, its member would still remain susceptible to an attack by the use of that plain text token that is being stored by many developers in their games’ plist.
This year Facebook Android app was adduced as one of many that spied on SMS messages on the phones it was installed on. But Facebook denied this allegation saying, “Although its apps requests permission to receive process and write text messages as well as read those communications, the app doesn’t use those permissions.”