Thursday, February 03, 2011
Students Discover, Alert Facebook to Threat Allowing Access to Private Data, Phishing
A Facebook security vulnerability discovered by a pair of doctoral students at Indiana University Bloomington’s School of Informatics and Computing that allowed malicious websites to uncover a visitor’s real name, access their private data and post bogus content on their behalf has been repaired, Facebook has confirmed.
The vulnerability discovered by Rui Wang and Zhou Li enabled malicious websites to impersonate legitimate websites, and then obtain the same data access permissions on Facebook that those legitimate websites had received.
Wang and Li said the vulnerability occurred when a user informed Facebook of his or her willingness to share information with popular websites like ESPN.com or YouTube. Whenever a website makes such a request to Facebook via the user’s browser, Facebook passes a secret random string called an authentication token back to the requestor for identification. Whoever holds that authentication token can convince Facebook that they are, say, ESPN.com and then gain unfettered access to the shared data.
Facebook confirmed the discovery and in a statement said the problem was repaired and that the belief was that no sites had been compromised.