Facebook logins easily slurped from iOS, Android kit
Exclusive Facebook's iOS and Android clients don't encrypt users' logon credentials, leaving them languishing in a folder accessible to other apps or USB connections.
A rogue application, or two minutes with a USB connection, are all that's needed to lift the temporary credentials from either device - a problem compounded by Facebook's idea of "temporary" as lasting beyond the year 4000. In the case of iOS, one can even lift the data from a backup, enabling the hacker to attach to a Facebook account and access Facebook applications for fun and profit.
That's according to Reg reader Gareth Wright, who stumbled across the file and tested it to see if it really was that easy to pretend to be someone else. Turns out it is, and after knocking out a proof of concept (a high-score editor for jailbroken iOS devices) which lifted "several thousand" IDs, Gareth deleted the collected data and dutifully reported the matter to Facebook.
Turns out Facebook was already aware of the problem and working on a fix - though it won't say how long that's going to take or what customers should do in the meantime.
Continued : http://www.theregister.co.uk/2012/04/03/facebook_security_weak_logon/