Embarrassing privacy flaw found on Facebook

Facebook patch
A researcher has found a critical security flaw on Facebook that could be exploited by hackers to expose sensitive information about users.

M J Keith, a senior security analyst with security firm Alert Logic, discovered the vulnerability which could lead to private information being exposed, or users’ Facebook pages being maliciously defaced.

IDG security reporter Robert McMillan has explained the problem well:

The bug has to do with the way that Facebook checked to make sure that browsers connecting with the site were the ones they claimed to be. Facebook's servers use code called a "post_form_id" token to check that the browser trying to do something -- liking a group, for example -- was actually the browser that had logged into the account. Facebook's servers check this token before making any changes to the user's page, but Keith discovered that when he simply deleted the token from messages, he could change many settings on any Facebook account.

Sign up to our free newsletter.
Security news, advice, and tips.

This is called a CSRF (Cross-site request forgery attack), which – if left unpatched – would allow hackers to set up malicious webpages that could submit instructions to the victim’s Facebook account without validation.

The consequence? Well, a hacker could make your hitherto private information public, or force your profile to “like” a Facebook group that you may find embarrassing.

M J Keith reports on AlertLogic’s website that he informed Facebook of the problem on the 11th of May, and that the problem has now been fixed.

However, IDG has reported that the security hole is still present.

Hopefully, if it’s not already patched, this privacy flaw – which comes at an embarrassing time for Facebook – will be removed soon.

If you’re a regular user of Facebook, you could do a lot worse than join the Sophos page on the site to ensure you are kept up-to-date with the latest security news. Oh, and remember to be careful about clicking on suspicious links..


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.