RSS Alerts

Share

More services

Related Links

Related Stories

  • Kaspersky researcher criticizes Facebook developer policy
    Malware attacks are becoming more targeted and more focused on social networks, according to a researcher at Kaspersky, who slammed Facebook for problems with its application certification process.
  • Conficker and Facebook / Twitter attacks dominate Q1 email threats
    The Conficker worm and attackers’ social engineering techniques exploiting users on Facebook, Myspace and Twitter, dominated the email threats in the first quarter (Q1) of 2009, according to identity-based unified threat management (UTM) solutions provider Cyberoam and its Israeli messaging and web security partner Commtouch.
  • Facebook moves to save face on T&Cs
    Social networking giant Facebook has back-tracked on a controversial decision to retain users' information, even when they close their accounts.
  • Facebook applications exposed as security risk
    Speculation on the security of social networking has increased amid reports that applications on Facebook are capable of collecting personal information.
  • You Dirty, Shady RAT
    The latest APT to come to light is what McAfee has dubbed ‘Shady RAT’. But the folks at Kaspersky have voiced some objections. Drew Amorosi examines the threat…and the controversy

Top 5 Stories

News

Facebook plugs hole in profile security

24 June 2009

Facebook has plugged a major security hole that researchers say enabled any member of the site to view other users' personal information.

The security flaw was found by new Facebook-watching blog FBHive. Originally reported to Facebook on June 7, the bug went unfixed until yesterday.

"With a simple hack, everything listed in a person’s “Basic Information” section can be viewed, no matter what their privacy settings are. This information includes networks, sex, birthday, hometown, siblings, parents, relationship status, interested in, looking for, political views and religious views," said a June 22 posting on the blog. "We have already reported this bug to Facebook on June 7th 2009, through multiple avenues, but it has received little attention. Hopefully this incites a little more action from them."

Carried out when editing personal information on a profile, the attack was executed by changing the profile ID parameter in the HTTP POST request. The researchers did this using Tamper Data, a plug-in for the Firefox browser that enables users to edit HTTP POST request parameters with the help of an easy-to-use graphical user interface.

To prove that the attack worked, the team posted the personal phrasebook information of several Internet celebrities, including Cory Doctorow, the editor of the popular blog Boing Boing, and Facebook CEO Mark Zuckerberg.

Although the blog originally highlighted the flaw on June 22, it did not immediately demonstrate how it was done. Instead, it stated that it would be posting a demonstration in the next few days, giving Facebook's security team further time to fix the bug.

The authors posted a video demonstrating the attack yesterday, but by this time, Facebook's security team had been in touch and fixed the bug.

The blog authors acknowledged the fix, and made it clear that the attack shown in the video no longer works. It also removed the personal details it had posted online at Facebook's request.

"We have identified this bug and closed the loophole," Facebook said in a statement. "We don't have any evidence to suggest that it was ever exploited for malicious purposes."

However, this is not the first time that Facebook has experienced security problems. FBHive points to a report by The Register in 2007, highlighting a more complex attack that achieved the same result. And the company has also had to fix flaws that enabled unauthorized members to view others' private photos.

 


 

This article is featured in:
Application Security • Internet and Network Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Terms & Conditions |Privacy |Website Design|Reed Exhibitions. All rights reserved. Copyright © 2012