There was a lot of hoo-ha and speculation yesterday after Mark Zuckerberg’s official Facebook fan page was updated with an unauthorised post.
Initially, Facebook declined to comment on what – at first glance – appeared to be an embarrassing security faux pas by Zuckerberg or one of his staff authorised to update the page. Understandably there was speculation that Zuckerberg or one of his colleagues might have had their passwords guessed or stolen, or perhaps had been ‘sidejacked’ by a tool such as FireSheep while using an unencrypted free WiFi hotspot.
Those were certainly our first thoughts, but now new information shared by Facebook’s security team with the press tells a different story.
For instance, CNET’s Elinor Mills reports that Facebook discovered that an API bug allowed unauthorised parties to post status updates to public Facebook fan pages.
This meant that personal information wasn’t stolen from anyone’s Facebook account – which is a very good thing.
So, it wasn’t a story of a 26-year-old logging in at Starbucks and not realising that someone could be intercepting the communications. And it wasn’t a tale of a junior member of staff being given the keys to administer a page with 2.8 million fans, only to choose a weak password like “123456789”.
Those kind of mistakes aren’t uncommon, of course, and are security issues which you should be mindful of if you are responsible for the protection of computers and online activity inside your own organisation.
Instead, it turns out that the true story of the Zuckerberg fan page hack is much worse. Because a vulnerability in Facebook’s code allowed unauthorised parties to post updates to pages, which could have potentially been used for the purposes of phishing, spam and even malicious attack.
And it wasn’t just Zuckerberg’s fan page which was affected. Facebook declined to say which other pages had been hit by hackers exploiting the vulnerability – but it appears that other “high-profile” pages were also impacted.
Facebook has not revealed whether they believed that French President Nicolas Sarkozy’s fan page (which was also breached earlier this week) had been affected by the same bug, but the suspicion must be there.
So, what does this mean for you if you’re a sysadmin responsible for securing your company’s Facebook presence?
Well, the good news is that Facebook says the API bug has now been fixed. They haven’t, however, said if they have informed the owners of any other Facebook fan pages or removed posts which may have been published via the flaw.
So, if you are the administrator of a popular page on Facebook, it wouldn’t do any harm to check that all is in order. You may also want to ensure that your public forums are regularly monitored just in case a similar incident occurs in the future, which might result in your Facebook fans receiving unauthorised updates.
After all, one wonders whether the API vulnerability would have been found so promptly if it hadn’t impacted the official fan page of Facebook’s CEO.
Furthermore, now would be a good time to audit your Facebook page administrators – ask yourself who has access to post to your company’s pages and are they following sensible security practices (such as unique, hard-to-crack passwords and use of https when accessing the site).
This may not have been the issue that caused the Zuckerberg fan page defacement, but it still makes a lot of good sense to follow these guidelines inside your company.
If you want to keep abreast of the latest Facebook security news, why not join our Sophos Facebook page where a community of over 100,000 users regularly discuss the threats.Follow @gcluley