The Facebook app stores user data in a .plist, which is protected on Android only if the user is far more strict in permissions granted to other apps than is usual.
Wright wrote a proof-of-concept app designed to scarf up as many .plists as possible, collecting more than 1,000 before taking his findings to Facebook with a warning about the security flaw.
Facebook is aware of the problem and is working on a fix, Wright found after warning it about his findings.
Facebook also spinning the revelation as hard as it can, claiming in its official response – and several storiesbased on it – that the security hole makes the Facebook app vulnerable only if the phone has been jailbroken or an identity thief has physical access to the phone itself.
Not true. According to Wright, any Android app that has permission to store or modify data on the SD card can also see the unencrypted .plist the Facebook app leaves behind.
That would make them vulnerable to any rogue app or malware designed to collect as much information as possible and phone it home (which, on Android, is far too many of them).
"We have duplicated the Facebook hack here at TNW labs (using our own devices) and it works perfectly well without a jailbreak," according to a story in TheNextWeb.
Even worse, for those hoping the cloud could save them from irreparable data loss or inaccessibility, the app distributed by file locker Dropbox uses the same .plist security flaw, making Dropbox profiles vulnerable to hacks or malicious software on iOS and Android devices, TNW's testing found.
Facebook is working on a patch, but app developers who build in connections to Facebook have to add their own encryption to the 60-day access token Facebook supplies, Wright told ZDNet.
Here is Facebook's official response: