A couple of weeks ago two students conducting security research contacted me about a vulnerability which they believed they had found with Facebook.
Rui Wang and Zhou Li said that they had found a vulnerability which allowed malicious websites to access a Facebook user’s private data without permission. According to Rui and Zhou, it was possible for any website to impersonate other sites which had been authorised to access users’ data such as name, gender and date of birth.
Furthermore, the researchers found a way to publish content on the visiting users’ Facebook wall (under the guise of legitimate websites) – a potential way to spread malware and phishing attacks.
Here’s a YouTube video by Rui and Zhou where the vulnerability is demonstrated. (Note: there’s no sound on the video)
When I first experimented last week on a test site created for me by Zhou and Rui I couldn’t precisely mimic what you see in the video. The demo website wasn’t able to extract the name of my test Facebook account, and it displayed a “failed” dialog box when it tried to post to my Facebook wall.
Now it’s possible that it didn’t work because I had applied some pretty rigid privacy settings to my test account, and sure enough when I tried again (having installed the ESPN Facebook app onto my test account) it was then successful, and able to extract my name, email address, and post an “evil” link seemingly via the app.
Ouch!
The good news is that the students practiced responsible disclosure, and informed Facebook’s security team about the flaw rather than release details of how to exploit users’ profiles to all and sundry.
Facebook Security responded promptly, and should be applauded for fixing the vulnerability rapidly once they were informed about it.
Clearly Facebook’s website is a complex piece of software, and it is almost inevitable that vulnerabilities and bugs will be found from time to time. The risk is compounded by the fact that there’s so much sensitive personal info about users being held by the site – potentially putting many people at risk.
Follow our guide for better security and privacy on Facebook to help lock down your profile from unwanted snoopers. You may also want to join the Sophos page on Facebook, to keep informed of the latest security threats.
But remember that ultimately if you don’t want your sensitive information to be leaked onto the net, you perhaps shouldn’t be uploading it in the first place.
You can learn more about the now fixed Facebook flaw in this article published by The Register this morning.
Full story: Naked Security – Sophos
Related Posts
- Facebook Password Has Been Changed…NOT!
We've already seen spam campaign theme that uses one of the famous Social Networking sites, Facebook. Like, Facebook Password Reset Confirmation, New login system, and Facebook updated account agreeme... - Report Says Facebook Apps Share Personal Data With Advertisers
A report in today's Wall Street Journal finds that many Facebook applications have been transmitting Facebook user id (UID) data to advertisers in violation of Facebook policy and, in some ca... - Users are still idiots, cough up personal data despite warnings
Study after study has shown that users are the weak link when it comes to security. Some of it, however, is not their fault: best security practices often go against everyth... - “Leaked” data of 100M Facebook users came from public info
Much has been made of a recent Facebook "leak" which allegedly disclosed information on over 100 million Facebook users. What some reports have failed to highlight, however, is ... - Why you shouldn’t reveal your Royal Wedding Guest name on Facebook
In the absence of a genuine ticket to the real event, Facebook users are encouraging each other to reveal their Royal Wedding Guest name.Here's a typical message that is currently being spread by well... - Anger after scam-exposing community shut down by Facebook
In a bizarre and hard-to-understand move, a Facebook page which claims it helped countless Facebook members stay safe online on the social network has been shut down... by Facebook.
The Bulldog Estate... - Facebook’s two-factor authentication announcement raises questions
Amid mounting criticism of Facebook's attitude to its users' privacy and safety, the social network has announced that it is introducing a two-factor authentication system in an attempt to prevent una... - An open letter to Facebook about safety and privacy
Dear Facebook,
As you know, for some years we have been discussing with your security team our concerns about safety and privacy on Facebook.
Every day, victims report to us numerous incidents of crim... - Facebook Users Get Invited to a Spam Event
For sometime now we’ve been reporting threats targeting Facebook users, most of which result in users unknowingly spreading spammy links to their networks. We’ve seen different social engi... - Critical Adobe Flaw without Patch
A vulnerability within the current versions of Adobe Flash Player on all supported platforms has been found, warns the company. Affected are not only the Flash Player installations, but also Adobe Rea...
Posted on 02 February 2011. Tags: Allowed, consent, Data, Facebook, flaw, Personal, steal, users, Websites, Without
