Ready for your daily dose of paranoia? There’s a newly discovered bug in the Facebook app that allows anyone to pull your Facebook identity off your device. Discovered by Gareth Wright, it appears the Facebook app has a .plist file that anyone can access through your iPhone or iPad’s dock port and a file browser. Since this information isn’t secured or encrypted in anyway, if you plug your iPhone into someone else’s computer/charger/dock/speakers, and they have it set up right, they can export the .plist, and use it to log onto your Facebook account.
Facebook responded to the flaw by saying it only worked with stolen or jailbroken devices — which is disingenuous, because their definition of stolen includes “granted a malicious actor access to the physical device.” As in, you plug your iPhone into the wrong place.
Further reports indicate that Facebook isn’t the only app with this problem, but that DropBox has it to.
I’d expect a fix for this in the very near future, but until then, be wary of where you dock your device.