
All your Facebook Access Tokens are belong to us - mikeevans
http://attack-secure.com/2013/10/all-your-facebook-access-tokens-are-belong-to-us/
======
thehme
Can't read blog post:

Error 520 Ray ID: c513da5e9750697 Web server is returning an unknown error

[https://support.cloudflare.com/hc/en-
us/articles/200171936-E...](https://support.cloudflare.com/hc/en-
us/articles/200171936-Error-520)

humm...

------
patmcguire
Can anyone get to the article?

~~~
thefreeman
worked for me. tldr: Facebook apps were leaking the access token via the
android log cat which is accessible from any app installed on your device.

~~~
JosephRedfern
AFAIK since Android 4.1 the READ_LOGS permission (needed for an app to be able
to access logcat output) can no longer be granted to a 3rd party
application... of course, there are going to be lots of devices out there
running Android < 4.1.

------
zaidf
We condemn anyone that stores passwords as plaintext. Time to treat access
tokens as nothing less than a password.

~~~
davidkuridza
How would you store access tokens on a device, using two-way encryption or do
you have something else in mind?

~~~
zaidf
Two way encryption, yep.

~~~
colinhowe
but then for any reasonable application to be able to use them they'll need to
store the unencryption key anyway..

~~~
tedunangst
Obviously you wouldn't store the encryption key in plaintext...

~~~
paulgb
It's encrypted keys all the way down.

