ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

Facebook refuses to fix obvious security flaw

By | August 25, 2008, 3:44pm PDT

Summary: [ UPDATE:  Facebook has reversed itself and fixed this vulnerability ]  The Register’s Dan Goodin has the scoop on an obvious security vulnerability that’s being ignored by the powers at Facebook. The issue, as demonstrated by this proof-of-concept, shows how a social network application can be rigged to hijack a Facebook user’s session identification cookies, deliver [...]

Facebook refuses to fix obvious security flaw

[ UPDATE:  Facebook has reversed itself and fixed this vulnerability ] 

The Register’s Dan Goodin has the scoop on an obvious security vulnerability that’s being ignored by the powers at Facebook.

The issue, as demonstrated by this proof-of-concept, shows how a social network application can be rigged to hijack a Facebook user’s session identification cookies, deliver pop-up messages or change the color of Facebook pages.

“With a little extra work, an attacker could probably do much more, including send and read messages from a user’s account, change privacy settings and add or delete Facebook friends,” according to the report.

When I tested the code while logged in to Facebook, it worked as advertised and proves conclusively that Facebook fails to sanitize the content of third-party applications.  This exposes Facebook’s massive user base to a variety of hacker attacks.

[ SEE: Web worms squirm through Facebook, MySpace ]

Worse, the developer who reported the flaw to Facebook says the company has refused to acknowledge the risk.

  • Wachelka said he filed a bug report with Facebook on Friday and promptly received a message saying the matter had been closed. “Our FBML tags are written not to run Javascript,” Facebook asserted.

A weakness in Facebook’s filtering recently exposed users to a malicious worm attack via the site’s commenting system.

* Image source:  We Blog Cartoons.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Facebook, Register, Social Networking, Cyberthreats, Security, Viruses And Worms, Online Communications, Marketing, Advertising & Promotion, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a member of the global research and analysis team. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

11
Comments
Add Your Opinion

Join the conversation!

Just In

Indeed
d.s.williams Updated - 26th Sep 2008
Let's hope the former turns out to be true, not the latter.
View in thread
0 Votes
+ -
Fixed.
ZDNET_guest666 26th Aug 2008
Looks like Facebook has fixed the bug. I just clicked the link and saw this text:

The bug is fixed happy
0 Votes
+ -
Contributr
Yup
Ryan Naraine 26th Aug 2008
Yup, it got fixed last night after the media picked up the story. Security-by-PR sad

_r
0 Votes
+ -
The problem with pro-active security
Michael Kelly 26th Aug 2008
is that it doesn't make headlines. At least Facebook will now get headlines over the fact that they made a fix.
0 Votes
+ -
Headline of this sort aren't good for business
voska1 26th Aug 2008
It's not the type of plublicity you want though. There used to be a saying that "no publicity is bad publicity" but in the internet world that's changed. Publicity that puts fear into you customers is not good.

It's much better to not have the security vulnerability widely known and about and quietly fixed before it can be exploited. That way no harm to your reputation. FaceBook is already feeling the pinch of being known as place to get viruses and lots of people are shying away from Facebook these days.
0 Votes
+ -
RE: Facebook refuses to fix obvious security flaw
phatkat 26th Aug 2008
It is troubling that Facebook need to have a large amount press before it fixes a problem.
With the amount of people it has and the press coverage it gets they should be more proactive in fixing security vulnerabilities and other bugs.
0 Votes
+ -
Probably because
zenotek 26th Aug 2008
... the only implication for a hijacked Facebook session is a compromised social networking site. Not much in terms of real damage can be done if you hack into somebody's account.
0 Votes
+ -
Not much
d.s.williams 28th Aug 2008
Only ruining someone's reputation or even driving them to suicide, potentially? It has happened on other social networking sites!
0 Votes
+ -
RE: Facebook refuses to fix obvious security flaw
Bozzer 26th Aug 2008
Such as the fact that applications completely ignore any user privacy options and have the ability to access ALL of your data and photographs. Not only that, but it gets to access a lot more information about the user than the user themselves get to see.
0 Votes
+ -
Sharing Facebook articles on ZDNet
d.s.williams 28th Aug 2008
I find it fascinating that, even though ZDNet relatively frequently includes items about Facebook, it is not one of the "Share" options. So if I want to tell all my Facebook contacts about them, I have to do it another (more complicated) way.
Why are there so few Share options here?
0 Votes
+ -
Security Risks vs ROI
Dr_Zinj 8th Sep 2008
That's what it's all about in business.

Facebook and other internet businesses either understand that concept, and use it, or they are eventually slain by attackers and loss of clients.
0 Votes
+ -
Indeed
d.s.williams Updated - 26th Sep 2008
Let's hope the former turns out to be true, not the latter.

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix