Report: Half way through the Month of Facebook Bugs

Half a month has passed since the start of theharmonyguy‘s project aimed at finding and posting XSS/CSRF vulnerabilities in Facebook applications. He planned to post one vulnerability per day for the whole month of September, but obviously there were a lot more – he claims he has already unearthed enough vulnerabilities to last until the last day of the month.

So far, the count stands at 19 vulnerable applications (all but one patched). 12 of them are verified by Facebook, and 13 are vulnerable to clickjacking attacks. Adding the number of users by month of each of those 19 vulnerabilities, we get the number of vulnerable users – around 169 million. That number is likely to be smaller, because of the overlapping of usage of said vulnerabilities, but still – anyone who has ever authorized one of these applications is vulnerable, even if he hasn’t used it since.

theharmonyguy says that the goal of his project is to raise awareness about the scope and magnitude of perils that exist on Facebook, and to alert the Facebook team and other application developers about the mistake they make in overlooking basic security practices. He has already alerted Facebook of problems inherent to the architecture of their platform, but hasn’t received any response.

At the end of the project, he intends to publish the source code for the attacks.