Facebook refuses to fix obvious security flaw

Facebook refuses to fix obvious security flaw

[ UPDATE: Facebook has reversed itself and fixed this vulnerability ]

The Register’s Dan Goodin has the scoop on an obvious security vulnerability that’s being ignored by the powers at Facebook.

The issue, as demonstrated by this proof-of-concept, shows how a social network application can be rigged to hijack a Facebook user’s session identification cookies, deliver pop-up messages or change the color of Facebook pages.

“With a little extra work, an attacker could probably do much more, including send and read messages from a user’s account, change privacy settings and add or delete Facebook friends,” according to the report.

When I tested the code while logged in to Facebook, it worked as advertised and proves conclusively that Facebook fails to sanitize the content of third-party applications. This exposes Facebook’s massive user base to a variety of hacker attacks.

[ SEE: Web worms squirm through Facebook, MySpace ]

Worse, the developer who reported the flaw to Facebook says the company has refused to acknowledge the risk.

  • Wachelka said he filed a bug report with Facebook on Friday and promptly received a message saying the matter had been closed. “Our FBML tags are written not to run Javascript,” Facebook asserted.

A weakness in Facebook’s filtering recently exposed users to a malicious worm attack via the site’s commenting system.

* Image source: We Blog Cartoons.

[Source: zdnet]