A security flaw was found in Facebook app for iOS & Android. It appears that Facebook’s iOS and Android clients don’t encrypt users’ logon credentials, leaving them in a folder that is accessible to other apps or USB connections.
According to a media report- A rogue application, or two minutes with a USB connection, are all that’s needed to lift the temporary credentials from either device. In the case of iOS, one can even lift the data from a backup, enabling the hacker to attach to a Facebook account and access Facebook applications for fun and profit.
The security hole was discovered by Gareth Wright, a UK-based developer of apps for iOS and Android devices.
The good thing however is that Facebook is aware of this vulnerability and is already working on a fix. Facebook said that the vulnerability affects jailbroken devices only but TheNextWeb claims otherwise. The technology site also discovered the same flaw in the popular file-syncing app Dropbox.
At the moment, it is unknown how long will Facebook take to release a fix or what customers should do in the meantime.
[Source]- The Register