Facebook Fixes Security Vulnerability
Cybersecurity
SHARE
Facebook X Pinterest WhatsApp

Facebook Fixes Security Vulnerability

Written By
Brian Prince
Brian Prince
Feb 2, 2011
2 minute read
eWeek content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

A pair of researchers from the Indiana University uncovered a vulnerability in Facebook that allowed attackers to get their hands on user data.

Students Rui Wang and Zhou Li found a flaw in the Facebook platform code that enables a malicious site to impersonate other Websites and obtain the same access permissions those sites receive.

“Bing.com by default has the permission to access any Facebook users’ basic information such as name, gender, etc., so our malicious website is able to deanonymize the users by impersonating Bing.com,” Wang told eWEEK in an e-mail. “In addition, due to business needs, there are many websites requesting more permissions, including access to a user’s private data, and publishing content on Facebook on her behalf. Therefore, by impersonating those websites (e.g., NYTimes, ESPN, YouTube, and FarmVille, etc.), our website can obtain the same permissions to steal the private data or post bogus messages on Facebook on the user’s behalf.”

Facebook patched the flaw shortly after it was reported to it, and said it is not aware of the issue having been exploited.

“Security is a top priority for us, and we devote significant resources to protecting people’s accounts and information,” a company spokesperson said. “We maintain a strong relationship with security experts around the world and work closely with them in the rare instances in which they find vulnerabilities on Facebook.”

A YouTube video of the exploit in action can be viewed here.

“When I first experimented last week on a test site created for me by Zhou and Rui I couldn’t precisely mimic what you see in the video,”blogged Graham Cluley, senior technology consultant at Sophos. “The demo website wasn’t able to extract the name of my test Facebook account, and it displayed a ‘failed’ dialog box when it tried to post to my Facebook wall.

“Now it’s possible that it didn’t work because I had applied some pretty rigid privacy settings to my test account, and sure enough when I tried again (having installed the ESPN Facebook app onto my test account) it was then successful, and able to extract my name, email address, and post an ‘evil’ link seemingly via the app,” he wrote.
Brian Prince
eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

facebook
linkedin
youtube
rss
x

Company

About us Contact us Advertise with us

Categories

Latest News Resources Artificial Intelligence Video Big Data & Analytics Cloud Networking

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

Terms of Service Privacy Policy California - Do Not Sell My Information