The Register's Bill Ray reports that Facebook's iOS and Android apps don't encrypt their users' login credentials, leaving them easily accessible.
"A rogue application, or two minutes with a USB connection, are all that's needed to lift the temporary credentials from either device -- a problem compounded by Facebook's idea of 'temporary' as lasting beyond the year 4000," Ray writes. "In the case of iOS, one can even lift the data from a backup, enabling the hacker to attach to a Facebook account and access Facebook applications for fun and profit."
"The security hole was discovered by Gareth Wright, a UK-based developer of apps for iOS and Android devices," writes ITworld's John P. Mello Jr. "Wright, writing in a blog, says he discovered the flaw while poking around some of the application directories in his iPhone with a free tool for doing that. In the course of his prodding, he discovered a Facebook access token in one of the games on his phone."
"Given that the vulnerability can be exploited with hardware and physical access, Wright says he'll be thinking twice about plugging his devices into shared PCs, public music docks or charging stations," writes Sophos' Lisa Vaas. "Sounds like good advice for the rest of us."