Critical Facebook bug exposes sensitive information

Yet another Facebook privacy bug has been discovered – this time by M.J. Keith, a senior security analyst with AlertLogic.

The bug in question makes it possible for an attacker to access the account of a user and modify its content – if the user is duped into clicking on a link that leads to malicious Web site containing the Javascript code that exploits the cross-site request forgery flaw.

According to the security advisory released on Wednesday by AlertLogic, the bug was spotted last week, and Facebook has been notified of it immediately. Three days later the social network confirms it has fixed it, but additional testing executed yesterday by Keith show that the bug is still present.

IDG News reports that Keith had created a simple Web page containing an invisible iFrame, and when they clicked on the page while being logged into Facebook, they have automatically “liked” several pages.

When you think about it – “liking” pages you normally wouldn’t could be a big deal if your account is public and the pages in question are embarrassing enough to make your boss think about firing you or friends wondering if they really know you. The attacker reading and misusing you personal information and making that information public (if it isn’t) could also lead to a heap of trouble.


Subscribe to the Help Net Security breaking news e-mail alerts:


Don't miss