Share
Facebook has patched a rather interesting flaw this week, which allowed anyone to view all of the information on an account's basic information section, even if this information had been hidden by the user with the website's security settings. The flaw, first brought to Facebook’s attention by FBHive, took fifteen days to correct.
Facebook privacy bug patched.
The Facebook vulnerability allowed anyone to alter the POST data once logged into their own account. In a video demonstration by FBHive, they accessed the basic information section of their own Facebook account, and used Tamper Data (a Firefox extension for intercepting HTTP requests and altering them) to modify the profile ID, granting them access to personal information about Facebook CEO Mark Zuckerberg, Digg Founder Kevin Rose, and famous blogger Cory Doctorow
In their initial posting on the vulnerability, FBHive reported that they attempted several times to have this flaw fixed. They started contacting Facebook on June 7, but it was not until they released the flaw to the masses on June 22, that Facebook acted.
According to Facebook, “We have identified this bug and closed the loophole. We don’t have any evidence to suggest that it was ever exploited for malicious purposes.”
FBHive’s disclosure, similar to the search vulnerability discovered on Facebook in 2007, is just the latest in a string of problems the site has faced recently. While Facebook has added tighter security controls, little Web-based errors like this, targeted Phishing scams and Worm attacks, means that they seem to move one step forward and then two steps back.
One security expert thinks its easier to just keep personal information offline entirely.
"It's great that Facebook has fixed this loophole, but disturbing that the vulnerability was there in the first place - as millions of Facebook users could potentially have been in danger of having information snatched which they believed to have been secured," said Graham Cluley, senior technology consultant at Sophos.
“Maybe people need to learn that if they really want to be secure on social networks they shouldn't rely on the website keeping their data safe and sound - maybe it's better not to upload any personal information in the first place."
Maybe he has a point.
The Tech Herald: More people pick Facebook over MySpace but the criminals don’t care
The Tech Herald: More security failure as Phishing attacks return to Facebook
The Tech Herald: Phishing and Facebook: Two things that just seem to go together
Interested in a more interactive TTH? Join our Facebook Group Want regular updates from The Tech Herald? Follow us on Twitter
Advertising
Comment on this Story