A rogue application or a USB connection can be used to steal the temporary credentials from mobile devices, according to a report by The Register. In the case of Apple’s iOS, the data could be obtained from a backup, enabling the hacker to attach to a Facebook account and access Facebook applications.
“That's according to Reg reader Gareth Wright, who stumbled across the file and tested it to see if it really was that easy to pretend to be someone else. Turns out it is, and after knocking out a proof of concept (a high-score editor for jailbroken iOS devices) which lifted ‘several thousand’ IDs, Gareth deleted the collected data and dutifully reported the matter to Facebook”, the report said.
Facebook, it turns out, was aware of the problem and working on a fix, although it couldn’t say when a fix might be ready.
“iOS games often store their high scores in plaintext, and rely on the OS for protection, and some are clearly storing Facebook-connection tokens in the same place. Those tokens are only valid for 60 days, but it turns out that the Facebook application itself stores a similar token – which lasts until the first of January 4001. Copy that token onto another device, and you're in”, the report added.