Students Find Facebook Security Flaw
Modernizing Authentication — What It Takes to Transform Secure Access
A pair of researchers from the Indiana University uncovered a vulnerability in Facebook that allowed attackers to get their hands on user data.
Students Rui Wang and Zhou Li found a flaw in the Facebook platform code that enables a malicious site to impersonate other Websites and obtain the same access permissions those sites receive.
"Bing.com by default has the permission to access any Facebook users' basic information such as name, gender, etc., so our malicious website is able to deanonymize the users by impersonating Bing.com," Wang told eWEEK in an e-mail. "In addition, due to business needs, there are many websites requesting more permissions, including access to a user's private data, and publishing content on Facebook on her behalf. Therefore, by impersonating those websites (e.g., NYTimes, ESPN, YouTube, and FarmVille, etc.), our website can obtain the same permissions to steal the private data or post bogus messages on Facebook on the user's behalf."
Facebook patched the flaw shortly after it was reported to it, and said it is not aware of the issue having been exploited.
For more, read the eWeek article: Facebook Fixes Security Vulnerability .