Facebook refuses to fix obvious security flaw
[ UPDATE: Facebook has reversed itself and fixed this vulnerability ]
The Register’s Dan Goodin has the scoop on an obvious security vulnerability that’s being ignored by the powers at Facebook.
The issue, as demonstrated by this proof-of-concept, shows how a social network application can be rigged to hijack a Facebook user’s session identification cookies, deliver pop-up messages or change the color of Facebook pages.
“With a little extra work, an attacker could probably do much more, including send and read messages from a user’s account, change privacy settings and add or delete Facebook friends,” according to the report.
When I tested the code while logged in to Facebook, it worked as advertised and proves conclusively that Facebook fails to sanitize the content of third-party applications. This exposes Facebook’s massive user base to a variety of hacker attacks.
[ SEE: Web worms squirm through Facebook, MySpace ]
Worse, the developer who reported the flaw to Facebook says the company has refused to acknowledge the risk.
- Wachelka said he filed a bug report with Facebook on Friday and promptly received a message saying the matter had been closed. “Our FBML tags are written not to run Javascript,” Facebook asserted.
A weakness in Facebook’s filtering recently exposed users to a malicious worm attack via the site’s commenting system.
* Image source: We Blog Cartoons.
[Source: zdnet]
Post a Comment