Once again, I get to be the bearer of bad news just to keep you, our reader, safe. Facebook's Mobile app for iOS and Android store your login information in a plaintext file that doesn't expire until the year 4001. The Facebook .plist file where your login data is stored could easily be swiped by a USB connection or via malicious apps.
Gareth Wright, a U.K.-based app developer for Android and iOS, is the discoverer of this bug. He discovered it after poking around in the application directories using the free tool iexplorer. He first found a plaintext Facebook Access token that was stored by DrawSomething and was able to query all of his data.
He then took a look at Facebook's directory where he found the .plist in question. He passed this file over to his friend and fellow blogger who, in the next few minutes, started posting status updates, sending private messages, and even liking websites. In other words, he had full control over the account.
Facebook is currently working on a fix, but there is no ETA. Additionally, other apps who use Facebook Access Tokens need to encrypt those as well. This is just another reason to be careful when selecting apps or plugging your device into a shared PC. Getting Facebook "jacked" just became real.
Further Reading: Read and find more Hacking & Security news at our Hacking & Security news index page.