- Jan 24, 2011
- 9,378
Student researchers Rui Wang and Zhou Li found a vulnerability which allowed malicious websites to access a Facebook user's private data without permission.According to Ru them, it was possible for any website to impersonate other sites which had been authorised to access users' data such as name, gender and date of birth.
Furthermore, the researchers found a way to publish content on the visiting users' Facebook walls (under the guise of legitimate websites) - a potential way to spread malware and phishing attacks
Here's a YouTube video by Rui and Zhou where the vulnerability is demonstrated. (Note: there's no sound on the video.)
The good news is that the students practiced responsible disclosure, and informed Facebook's security team about the flaw rather than releasing details of how to exploit users' profiles to all and sundry.
Facebook Security responded promptly, and should be applauded for fixing the vulnerability rapidly once they were informed about it.
Source
Furthermore, the researchers found a way to publish content on the visiting users' Facebook walls (under the guise of legitimate websites) - a potential way to spread malware and phishing attacks
Here's a YouTube video by Rui and Zhou where the vulnerability is demonstrated. (Note: there's no sound on the video.)
The good news is that the students practiced responsible disclosure, and informed Facebook's security team about the flaw rather than releasing details of how to exploit users' profiles to all and sundry.
Facebook Security responded promptly, and should be applauded for fixing the vulnerability rapidly once they were informed about it.
Source
Last edited:
