Skip the navigation

Facebook fixes bug that allowed friend deletion

By Robert McMillan
May 21, 2010 08:21 PM ET

IDG News Service - Facebook has fixed a flaw that let hackers delete Facebook friends without permission.

The flaw was reported Wednesday by Steven Abbagnaro, a student at Marist College in Poughkeepsie, New York. It was patched Friday afternoon, Pacific time, after the IDG News Service notified Facebook of the issue.

The bug was a variation of an earlier vulnerability that Facebook learned about last week, which affected a range of features on the Web site. Hackers could have leveraged Abbagnaro's bug to delete all of a victim's contacts, one by one, but it does not appear that anyone ever exploited it in a malicious way.

For Abbagnaro's attack to work, however, a user would have to have been tricked into clicking on a malicious Web link while still logged into Facebook.

Facebook has struggled this week to fix these bugs, which are called cross-site request forgery flaws. They exist because of relatively simple Web programming mistakes in the Web site's code, and security researchers have criticized Facebook for not fixing them more quickly.

"We're in the process of doing a full audit and are building additional protections for this type of potential attack across the code base," said Simon Axten, a Facebook spokesman, in a Friday e-mail interview. "We began working on this one as soon as we learned about it and pushed a fix early this afternoon."

Robert McMillan can be reached at robert_mcmillan@idg.com. He is on Twitter at: http://twitter.com/bobmcmillan

Reprinted with permission from IDG.net. Story copyright 2014 International Data Group. All rights reserved.
Our Commenting Policies
Internet of Things: Get the latest!
Internet of Things

Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!