CSO - Facebook has quietly fixed a vulnerability discovered recently by two student researchers that allowed malicious websites to access a Facebook user's private data without permission and post malicious links onto their profile.
See also: Social Media Risks: The Basics
Students Rui Wang and Zhou Li contacted security firm Sophos and told them the flaw they found made it possible for any web site to impersonate other sites which had been authorized to access users' data such as name, gender and date of birth. In other words, if a user has accessed any site - such as YouTube, or gaming sites and news sites -- and had given the site access to their Facebook profile, the potential was there for a malicious site to have access to their sensitive data. The researchers also found it was possible for the malicious site to pose as a legitimate web site and publish content on the visiting users' Facebook wall -- a common way malware is spread on the social network.
Users were at risk if they were to visit a malicious web site while logged into Facebook. The flaw was the result of a problem within one of Facebook's authentication mechanisms. The students explain the problem in a YouTube video found here.
The vulnerability has already been addressed by Facebook, since the students practiced responsible disclosure and informed Facebook's security team about the flaw. Facebook Security responded by fixing the vulnerability quickly, according to Sophos' Graham Cluley.
"Clearly Facebook's website is a complex piece of software, and it is almost inevitable that vulnerabilities and bugs will be found from time to time," said Cluley. "The risk is compounded by the fact that there's so much sensitive personal info about users being held by the site -- potentially putting many people at risk."
Facebook has fixed many research-discovered bugs in recent years. Earlier this year it patched a flaw that allowed private chats to be made public. Last week, Facebook announced new security enhancements on the site.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts