Facebook fixes a bug in its platform that permitted attackers to access user data without their consent.
A pair of researchers from the Indiana
University uncovered a
vulnerability in Facebook that allowed attackers to get their hands on
Students Rui Wang and Zhou Li found a flaw in the Facebook platform
code that enables a malicious site to impersonate other Websites and
obtain the same
those sites receive.
"Bing.com by default has the permission to access
any Facebook users' basic information such as name, gender, etc., so our
is able to deanonymize the users by impersonating
Bing.com," Wang told eWEEK in an e-mail. "In addition, due to
business needs, there are many websites requesting more permissions, including
access to a user's private data, and publishing content
on Facebook on her behalf. Therefore, by impersonating those websites
(e.g., NYTimes, ESPN, YouTube, and FarmVille, etc.), our website can obtain the
same permissions to steal the private data or post bogus messages on Facebook
on the user's behalf."
Facebook patched the flaw shortly after it was reported to it, and said it
is not aware of the issue having been exploited.
"Security is a top priority for us, and we devote significant resources
to protecting people's accounts and information," a company spokesperson
said. "We maintain a strong relationship with security experts around the
world and work closely with them in the rare instances in which they find
vulnerabilities on Facebook."
A YouTube video of the exploit in action can be viewed here
"When I first experimented last week on a test site created for me by
Zhou and Rui I couldn't precisely mimic what you see in the video,"
blogged Graham Cluley
, senior technology consultant at Sophos. "The
demo website wasn't able to extract the name of my test Facebook account, and
it displayed a 'failed' dialog box when it tried to post to my Facebook wall.
"Now it's possible that it didn't work because I had applied some
pretty rigid privacy settings to my test account, and sure enough when I tried
again (having installed the ESPN Facebook app onto my test account) it was then
successful, and able to extract my name, email address, and post an 'evil' link
seemingly via the app," he wrote.