Does anyone know if the provided Facebook Widget on the N900 sends your username and password clear text? For example, you connect to a wireless network, your facebook widget updates, can other users on the network sniff your facebook credentials?

Also. is there any way to control when the FB widget updates, perhaps set it to update only when told to?

they cant sniff it...
and no u cant

Please share... what is it that prevents another network user from sniffing the credentials? Are they hashed, sent encrypted, or what mechanism works here?

You could always download the wireshark to your N900 and find out yourself?

Hi sorry to let you down but I did a facebook login trace via wireshark just the other week on the PC and its not sent clear text.

As far as I know, facebook's login is always https.

Yeah once it authenticates the user the rest of page views, chat etc are all plain text IP packets.

but apparently the mauku widget totally is in clear text, i have both an ettercap and wireshark log to prove it. i will be spending the rest of the nights sniffing the rest of the social networking apps i have on this phone

Depending on the service it may be that the password is always clear text. By default most POP servers are clear text unless you're going to the secure authentication ports to do it. FTP is always clear text for passwords, as are IRC and several other commonly used tools. I'm not saying that's a good thing, just that it may not be entirely the apps fault. If a service is truly security aware they won't accept login credentials in a non-secured way to start with, so the apps would have to hash or encrypt credentials.