Monthly Archives: April 2012

Don't lose your smartphone

Taking a play right out of some 90’s software, Facebook stores your login credentials in plain-text on your devices.  Android is vulnerable to token snatching and to a slightly lesser degree, iOS as well.

iOS games often store their high scores in plaintext, and rely on the OS for protection, and some are clearly storing Facebook-connection tokens in the same place. Those tokens are only valid for 60 days, but it turns out that the Facebook application itself stores a similar token – which lasts until the first of January 4001. Copy that token onto another device, and you’re in.

Apparently you just need the auth file from someone’s device and you can login as if you were on their device and account.  The goofy part that crosses my mind, is how a FB profile has a link for your cell number.  I wanted to assume that was for authentication via mobile sites, but obviously that’s not the case.

I guess that explains those few random spam texts I got over the last few weeks.  At least now I can fix my profile to not leak my number to spam marketers.

Activating allows Facebook Mobile to send text messages to your phone. You can receive notifications for friend requests, messages, Wall posts, and status updates from your friends.
You can also update your status, search for phone numbers, or upload photos and videos from your phone.

Then again, the above dialog alludes to this ‘security’ being in place.  I removed my phone, interested to see if it actually shows any issue connecting.