By now you’ve heard that you should be careful what you post on Facebook. But it might not be prying eyes on your profile that gets you into trouble because of the social network, but a security hole open to hackers.
As PC World reports, there’s an easily exploitable security flaw in Facebook’s mobile apps for both Apple’s iOS platform and Google’s Android operating system. Neither version of the app encrypts users’ personal information, which makes it easy to steal for hacker types and identity thieves.
According to PC World’s report, all it would take to exploit the unencrypted data is “a rogue application” or “two minutes with a USB cable.” Rogue apps are less common on iOS than, say, Android because of the latter’s more open nature, but Apple’s walled garden is by no means free of the occasional malicious weed.
What’s especially disconcerting about the revelation that user data is unprotected with Facebook’s apps is the sheer volume of users that are logging in with their mobile devices. Back in February, Facebook released numbers that said some 350 million of its monthly active users were logging in with their mobile apps. That’s an insane number of people whose personal data is currently vulnerable, and who likely have no idea.
The security hole was first discovered by UK app developer Gareth Wright, who stumbled on it while using a free tool that allowed him to see the directory files on his iPhone. Before long, Wright noticed that a game made use of a Facebook token to gain access to information in Wright’s profile. Copying the token, he found it was easy to use the Facebook Query Language and the token to access information in his account. Poking further, he found Facebook’s directory files and a huge amount of unencrypted information. He even found an unencrypted key that could give anyone full access to his Facebook account.
Wright then wrote a computer program to demonstrate how easy it would be for a malicious hacker to create a worm to find and copy Facebook “plists,” the plaintext files that contain each user’s Facebook settings. Instead, Wright made his program merely add a tally to a counter every time it encountered a plist, rather than copy it. The code counted more than 1,000 plists over the course of a week.
Facebook is already working on a fix to the problem after being contacted by Wright over the issue, according to the PC World story. That doesn’t solve the problem of that plaintext token that gives apps (and potentially malicious programs) access to Facebook profiles, however; especially because that token is stored in the plists of other apps, such as games. That means there are potentially millions of Facebook-using mobile gamers out there that are currently vulnerable to having their information stolen, and may stay that way for some time.