August 25th, 2008
Facebook refuses to fix obvious security flaw
[ UPDATE: Facebook has reversed itself and fixed this vulnerability ]
The Register’s Dan Goodin has the scoop on an obvious security vulnerability that’s being ignored by the powers at Facebook.
The issue, as demonstrated by this proof-of-concept, shows how a social network application can be rigged to hijack a Facebook user’s session identification cookies, deliver pop-up messages or change the color of Facebook pages.
“With a little extra work, an attacker could probably do much more, including send and read messages from a user’s account, change privacy settings and add or delete Facebook friends,” according to the report.
When I tested the code while logged in to Facebook, it worked as advertised and proves conclusively that Facebook fails to sanitize the content of third-party applications. This exposes Facebook’s massive user base to a variety of hacker attacks.
[ SEE: Web worms squirm through Facebook, MySpace ]
Worse, the developer who reported the flaw to Facebook says the company has refused to acknowledge the risk.
- Wachelka said he filed a bug report with Facebook on Friday and promptly received a message saying the matter had been closed. “Our FBML tags are written not to run Javascript,” Facebook asserted.
A weakness in Facebook’s filtering recently exposed users to a malicious worm attack via the site’s commenting system.
* Image source: We Blog Cartoons.
Ryan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.
For daily updates on Ryan's activities, follow him on Twitter.
Subscribe to Zero Day via Email alerts or RSS.
| 08/26/08
