updated 4/3/2012 3:50:47 PM ET 2012-04-03T19:50:47

Lurking in Facebook's app for iPhone and Android is a serious glitch that makes users' confidential login details easy to harvest, according to a new proof-of-concept hack.

Facebook's iOS and Android apps do not encrypt users' login credentials, and leave that critical information "languishing in a folder accessible to other apps or USB connections," The Register  explained.

By gaining access to the victim's phone or by remotely deploying a rigged app, an attacker could exploit this loophole and make off with a target's sensitive data, including name, password and any other information stored within their Facebook account.

[Why You Should Quit Facebook Now]

Register reader Gareth Wright developed a proof-of-concept hack to test out the vulnerability, and said he was able to siphon thousands of logins. He reported the problem to Facebook, and Facebook said it is currently working on a fix, but has not said how long it will take.

The Register pointed out that on iOS devices, Facebook's app stores a token — a string of alphanumeric text — directly on the phone. Unlike an iOS app token, which are valid only for 60 days, Facebook's iOS tokens are valid until Jan 1, 4001.

Wright's test hack only worked on jailbroken Apple devices, but, as the Register's Bill Ray wrote, it seems any Android application granted permission to "modify/delete SD Card' could do the same thing."

© 2012 SecurityNewsDaily. All rights reserved


Discussion comments


Most active discussions

  1. votes comments
  2. votes comments
  3. votes comments
  4. votes comments