A couple of weeks ago two students conducting security research contacted me about a vulnerability which they believed they had found with Facebook.
Rui Wang and Zhou Li said that they had found a vulnerability which allowed malicious websites to access a Facebook user’s private data without permission. According to Rui and Zhou, it was possible for any website to impersonate other sites which had been authorised to access users’ data such as name, gender and date of birth.
Furthermore, the researchers found a way to publish content on the visiting users’ Facebook walls (under the guise of legitimate websites) – a potential way to spread malware and phishing attacks.
Here’s a YouTube video by Rui and Zhou where the vulnerability is demonstrated. (Note: there’s no sound on the video.)[youtube=http://www.youtube.com/watch?v=chATOThshtY&w=500&h=311&rel=0]
When I first experimented last week on a test site created for me by Zhou and Rui I couldn’t precisely mimic what you see in the video. The demo website wasn’t able to extract the name of my test Facebook account, and it displayed a “failed” dialog box when it tried to post to my Facebook wall.
Now it’s possible that it didn’t work because I had applied some pretty rigid privacy settings to my test account, and sure enough when I tried again (having installed the ESPN Facebook app onto my test account) it was then successful, and able to extract my name, email address, and post an “evil” link seemingly via the app.
The good news is that the students practiced responsible disclosure, and informed Facebook’s security team about the flaw rather than releasing details of how to exploit users’ profiles to all and sundry.
Facebook Security responded promptly, and should be applauded for fixing the vulnerability rapidly once they were informed about it.
Clearly Facebook’s website is a complex piece of software, and it is almost inevitable that vulnerabilities and bugs will be found from time to time. The risk is compounded by the fact that there’s so much sensitive personal info about users being held by the site – potentially putting many people at risk.
Follow our guide for better security and privacy on Facebook to help lock down your profile from unwanted snoopers. You may also want to join the Sophos page on Facebook, to keep informed of the latest security threats.
But remember that ultimately, if you don’t want your sensitive information to be leaked onto the net, you perhaps shouldn’t be uploading it in the first place.
You can learn more about the now-fixed Facebook flaw in this article published by The Register this morning.