Facebook refuses to fix obvious security flaw

Facebook refuses to fix obvious security flaw

Summary: [ UPDATE:  Facebook has reversed itself and fixed this vulnerability ]  The Register's Dan Goodin has the scoop on an obvious security vulnerability that's being ignored by the powers at Facebook.The issue, as demonstrated by this proof-of-concept, shows how a social network application can be rigged to hijack a Facebook user's session identification cookies, deliver pop-up messages or change the color of Facebook pages.

SHARE:

Facebook refuses to fix obvious security flaw

[ UPDATE:  Facebook has reversed itself and fixed this vulnerability ] 

The Register's Dan Goodin has the scoop on an obvious security vulnerability that's being ignored by the powers at Facebook.

The issue, as demonstrated by this proof-of-concept, shows how a social network application can be rigged to hijack a Facebook user's session identification cookies, deliver pop-up messages or change the color of Facebook pages.

"With a little extra work, an attacker could probably do much more, including send and read messages from a user's account, change privacy settings and add or delete Facebook friends," according to the report.

When I tested the code while logged in to Facebook, it worked as advertised and proves conclusively that Facebook fails to sanitize the content of third-party applications.  This exposes Facebook's massive user base to a variety of hacker attacks.

[ SEE: Web worms squirm through Facebook, MySpace ]

Worse, the developer who reported the flaw to Facebook says the company has refused to acknowledge the risk.

  • Wachelka said he filed a bug report with Facebook on Friday and promptly received a message saying the matter had been closed. "Our FBML tags are written not to run Javascript," Facebook asserted.

A weakness in Facebook's filtering recently exposed users to a malicious worm attack via the site's commenting system.

* Image source:  We Blog Cartoons.

Topics: Collaboration, Security, Social Enterprise

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

11 comments
Log in or register to join the discussion
  • Fixed.

    Looks like Facebook has fixed the bug. I just clicked the link and saw this text:

    The bug is fixed :)
    ZDNET_guest666
    • Yup

      Yup, it got fixed last night after the media picked up the story. Security-by-PR :(

      _r
      Ryan Naraine
      • The problem with pro-active security

        is that it doesn't make headlines. At least Facebook will now get headlines over the fact that they made a fix.
        Michael Kelly
        • Headline of this sort aren't good for business

          It's not the type of plublicity you want though. There used to be a saying that "no publicity is bad publicity" but in the internet world that's changed. Publicity that puts fear into you customers is not good.

          It's much better to not have the security vulnerability widely known and about and quietly fixed before it can be exploited. That way no harm to your reputation. FaceBook is already feeling the pinch of being known as place to get viruses and lots of people are shying away from Facebook these days.
          voska1
  • RE: Facebook refuses to fix obvious security flaw

    It is troubling that Facebook need to have a large amount press before it fixes a problem.
    With the amount of people it has and the press coverage it gets they should be more proactive in fixing security vulnerabilities and other bugs.
    phatkat
    • Probably because

      ... the only implication for a hijacked Facebook session is a compromised social networking site. Not much in terms of real damage can be done if you hack into somebody's account.
      zenotek
      • Not much

        Only ruining someone's reputation or even driving them to suicide, potentially? It has happened on other social networking sites!
        d.s.williams
  • RE: Facebook refuses to fix obvious security flaw

    Such as the fact that applications completely ignore any user privacy options and have the ability to access ALL of your data and photographs. Not only that, but it gets to access a lot more information about the user than the user themselves get to see.
    Bozzer
  • Sharing Facebook articles on ZDNet

    I find it fascinating that, even though ZDNet relatively frequently includes items about Facebook, it is not one of the "Share" options. So if I want to tell all my Facebook contacts about them, I have to do it another (more complicated) way.
    Why are there so few Share options here?
    d.s.williams
  • Security Risks vs ROI

    That's what it's all about in business.

    Facebook and other internet businesses either understand that concept, and use it, or they are eventually slain by attackers and loss of clients.
    Dr_Zinj
    • Indeed

      Let's hope the former turns out to be true, not the latter.
      d.s.williams