Facebook flaw allowed websites to steal users' personal data without consent

Filed Under: Facebook, Privacy, Social networks, Vulnerability

A couple of weeks ago two students conducting security research contacted me about a vulnerability which they believed they had found with Facebook.

Rui Wang and Zhou Li said that they had found a vulnerability which allowed malicious websites to access a Facebook user's private data without permission. According to Rui and Zhou, it was possible for any website to impersonate other sites which had been authorised to access users' data such as name, gender and date of birth.

Furthermore, the researchers found a way to publish content on the visiting users' Facebook walls (under the guise of legitimate websites) - a potential way to spread malware and phishing attacks.

Here's a YouTube video by Rui and Zhou where the vulnerability is demonstrated. (Note: there's no sound on the video.)

When I first experimented last week on a test site created for me by Zhou and Rui I couldn't precisely mimic what you see in the video. The demo website wasn't able to extract the name of my test Facebook account, and it displayed a "failed" dialog box when it tried to post to my Facebook wall.

Facebook vulnerability

Now it's possible that it didn't work because I had applied some pretty rigid privacy settings to my test account, and sure enough when I tried again (having installed the ESPN Facebook app onto my test account) it was then successful, and able to extract my name, email address, and post an "evil" link seemingly via the app.


The good news is that the students practiced responsible disclosure, and informed Facebook's security team about the flaw rather than releasing details of how to exploit users' profiles to all and sundry.

Facebook Security responded promptly, and should be applauded for fixing the vulnerability rapidly once they were informed about it.

Clearly Facebook's website is a complex piece of software, and it is almost inevitable that vulnerabilities and bugs will be found from time to time. The risk is compounded by the fact that there's so much sensitive personal info about users being held by the site - potentially putting many people at risk.

Follow our guide for better security and privacy on Facebook to help lock down your profile from unwanted snoopers. You may also want to join the Sophos page on Facebook, to keep informed of the latest security threats.

But remember that ultimately, if you don't want your sensitive information to be leaked onto the net, you perhaps shouldn't be uploading it in the first place.

You can learn more about the now-fixed Facebook flaw in this article published by The Register this morning.

, , , ,

You might like

8 Responses to Facebook flaw allowed websites to steal users' personal data without consent

  1. Jay Ar Decenella · 1709 days ago

    Is it also possible to extract pieces of information that are configured to be visible only to the owner of the account?

    • Rui Wang · 1709 days ago

      yes, it is. For example, even if you configure your birthday only visible to yourself, but Facebook still allows it to share with other websites. So the attack still works.

  2. If I understand correctly, it's not possible to extract anything anymore as Facebook fixed it shortly after being notified.
    Also, if this had been exploited in the wild, I think it would have been fairly high profile given that potentially an attacker could have theoretically posted on your behalf and had it attributed to an app you already authorised and trusted.

    • Correct, the exploit did not become public knowledge. The researchers shared it with a security journalist at The Register and myself (perhaps others in the same industry too, I don't know) to confirm their findings.

      It's great that they acted responsibly and worked with Facebook's security team to get the problem fixed rather than reveal the details for all the world to exploit.

  3. Thu Win · 1709 days ago

    But what if you uncheck everything in info accessable through your friends in the info settings

  4. bryan merrick · 1709 days ago

    i have sacked facebook today due to a site called ''the daily gossip'' it has just over a thousand people all joined, it all began when a conversation between me and my daughter in august was flashed up before my very eyes and was a personel conversation. I was absolutly amazed to see some group i had joined 72 hours previously simply going back to august and showing me this long conversation.
    I was happily finding all my cousins as i moved away from the area i lived in many years ago, but to be honest i am never touching any social network site again as my private conversations were flashed all over the page to abuse me and be a clever fella in his book. Since facebook has grown it seems to me that not everything has been thought out properly and therefore is just a sham-site and a complete joke to the average computer user. -10 out of -10

  5. british bird · 1709 days ago

    well i cant get back on sodding faceache,,,somethings weird, im getting messages to change password on all my mail accounts,,,hmmmm, i dunno,i dont care,ive decided to put my laptop in the microwave,..problem solved

  6. judi · 1708 days ago

    i wish facebook would be more protective of people rights vs the way most is ran to intrusive. need much more information on ways to protect people who use for good reason not to cause harm to computers or others.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at https://grahamcluley.com, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley