Embarrassing privacy flaw found on Facebook

Filed Under: Data loss, Facebook, Privacy, Social networks

Facebook patch
A researcher has found a critical security flaw on Facebook that could be exploited by hackers to expose sensitive information about users.

M J Keith, a senior security analyst with security firm Alert Logic, discovered the vulnerability which could lead to private information being exposed, or users' Facebook pages being maliciously defaced.

IDG security reporter Robert McMillan has explained the problem well:

The bug has to do with the way that Facebook checked to make sure that browsers connecting with the site were the ones they claimed to be. Facebook's servers use code called a "post_form_id" token to check that the browser trying to do something -- liking a group, for example -- was actually the browser that had logged into the account. Facebook's servers check this token before making any changes to the user's page, but Keith discovered that when he simply deleted the token from messages, he could change many settings on any Facebook account.

This is called a CSRF (Cross-site request forgery attack), which - if left unpatched - would allow hackers to set up malicious webpages that could submit instructions to the victim's Facebook account without validation.

The consequence? Well, a hacker could make your hitherto private information public, or force your profile to "like" a Facebook group that you may find embarrassing.

M J Keith reports on AlertLogic's website that he informed Facebook of the problem on the 11th of May, and that the problem has now been fixed.

However, IDG has reported that the security hole is still present.

Hopefully, if it's not already patched, this privacy flaw - which comes at an embarrassing time for Facebook - will be removed soon.

If you're a regular user of Facebook, you could do a lot worse than join the Sophos page on the site to ensure you are kept up-to-date with the latest security news. Oh, and remember to be careful about clicking on suspicious links..

, , , ,

You might like

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.