An Avnet security researcher reports several security vulnerabilities in major social networking sites that could be used to compromise accounts.
A security researcher recently uncovered numerous cross-site
in Twitter, Facebook and MySpace.
The social networking sites have patched all the bugs, which were discovered
by Nir Goldshlager of Avnet Information Security Consulting and shared with the
sites a few weeks ago.
"When a user logs in to www.facebook.com, www.twitter.com
he is automatically logging in to m.facebook.com
and touch.facebook.com, mobile.twitter.com, m.myspace.com
the same session ID cookie value that was used for [the other sites],"
Goldshlager said. "Facebook uses an HTTP-only flag to avoid cookie
stealing from cross-site scripting attacks, but an attacker doesn't need to
steal the valid cookie or session IDs of the victim to perform unwanted
actions on the victim's account
in Facebook or MySpace."
Successful exploitation meant gaining control over the victim's
account, giving an attacker the ability to send and read messages, see private
data and more, the researcher said.
"An attacker would only need a victim to click on a Website link,"
On Twitter the situation was the same, only an attacker would be able to
steal the session ID and get full control.
The cross-site scripting bugs were all due to input validation issues.
Additionally, a cross-site request forgery issue existed on the mobile version
of MySpace that could be exploited to do things like upload and delete photos
on a victim's account or update a victim's status, Goldshlager said. That
vulnerability was fixed as well.
"MySpace has a security team in place that is wholly dedicated to combating
these types of issues,
" a spokesperson for the site told eWEEK,
adding the problem was fixed quickly.
According to a spokesperson for Facebook, the site seeks to maintain a "strong
relationship with security experts" and has created a form for researchers
to use that it links to from its Help
Center as well as the "White Hats"
tab on the Facebook Security page.