When we save our login information to an online service within a mobile app, we trust that the app is going to manage our data securely. Even when intentions are good, a serious-enough oversight could potentially lead to us losing control over our accounts as hackers take possession of our login credentials. Facebook is facing such a problem now, with the revelation of some problems with its credential management on iOS and Android that could give hackers access to your account.
The issue has to do with how Facebook stores its login token. Reportedly, the data it saves after you enter in your password includes plaintext strings that can be used to later access your account. Not only does the Facebook app itself store this token, but other apps which you’ve granted permission to link with your Facebook account also store these tokens in their own directories.
Of course, to take advantage of this vulnerability, a hacker first needs to get one of those tokens off your phone. While that’s not exactly trivial, there are any number of ways a determined individual could copy that data, even if it requires physical access to the phone.
Facebook is reportedly aware of the situation, and presumably working on a fix. Possible solutions include generating login tokens that are only valid on one given device.