Facebook allows its authentication credentials to be stored in plain text within mobile applications, allowing an attacker complete control over your Facebook account if he knows where to look.
Security researcher Gareth Wright noted the vulnerability and alerted Facebook. But he also created proof-of-concept hacks that included hidden apps that could run on a PC or iPhone, and even a hardware dongle that could be made to look like the mobile-device charging stations that have become more common in airports and other public places.
The Facebook mobile app stores a program list, or plist, of application settings in plain text, Wright noted. Specifically, the OAuth key and secret were listed in plain text, within the Facebook application directory, Wright wrote.
That might seem rather obscure, but Wright then emailed the plist to a friend, who had logged out of his own Facebook account. The friend, nicknamed "Scoopz," then removed his own plist, and replaced it with Wright's own.
"My jaw dropped as over the next few minutes I watched posts appear on my wall, private messages sent, webpages liked and applications added," Wright wrote. "Scoopz then opened Draw Something on his iPad which logged him straight into my account where he sent some pictures back to my friends. Even after restoring his own plist he still gets notifications for my games."
Wright said that he harvested over 1,000 plists over the course of a week, although he copied no data.
Wright said that Facebook has been made aware of the vulnerability and is closing the hole. Facebook representatives did not immediately respond to requests for comment. The most recent update to the Facebook iOS application was on April 2, the day before Wright authored his post. That Facebook update added support for the new iPad's Retina display, among other things.
A separate issue, Wright noted, is that the Facebook plain-text access tokens are made available to other application providers, and only expire after 60 days. Wright discovered that the token, which he discovered in the OMGPOP/Zynga hit Draw Something, expired in 60 days. That meant an app that used Facebook as an authorization tool could pull his email address and marketing information.
The plist, the main focus of Wright's concern, had an expiration date of Jan. 1, 4001.
"Facebook are aware and working on closing the hole, but unless app developers follow suit and start encrypting the 60 day access token Facebook supplies, it's only a matter of time before someone starts using the info for ill purpose…if they aren't already," Wright wrote. "Until Facebook plug the hole, I'll be thinking twice about plugging my devices into a shared PC, public music docks or 'charging stations.'"
Earlier this year, Facebook was accused of reading text messages, a charge it denied.
For more from Mark, follow him on Twitter @MarkHachman.