The “hacks” require the attacker to have physical access to your device (whether it be Android or iOS). That could be a speaker dock, a charging station, or a friend’s computer, but it still requires you to plug the iPhone into something compromised or give up physical access to it.
The issue, as Gareth Wright first discovered, is that Facebook stores saved account information in a plaintext file that can be transferred to another phone and used to log into your Facebook account without signing in. Other services, like Dropbox, were also shown to have the same vulnerability (but that is disputed).
This is why, when you restore a phone from a backup, you already have access to your Facebook app without having to sign-in again. Facebook attempted to dispel the concern by claiming that a phone would need to be compromised for this to work. That is untrue.
However, as we know, once someone with the right software has your iPhone, your information is pretty much his or hers to use.
might do a post debunking the Facebook credentials thing, but basically… users: set a good pass code! devs: please utilize Data Protection!—
(@chronic) April 06, 2012
The bigger issue here is the software that people use to access your data. It is free—and the process is very simple. I expect Facebook and Apple will probably make it more difficult in forthcoming updates.
- Security hole in Facebook iOS app doesn’t require jailbreak or theft, and Dropbox has it too (thenextweb.com)
- Sparrow for iOS updated: Push coming with or without Apple in upcoming version (9to5mac.com)