Friday, October 23, 2009

Facebook application security hole exposes millions to hacking, researcher says - - 19 Oct 09

A security researcher is warning Facebook users about potential vulnerabilities in Facebook applications that could allow cross-site scripting (XSS) hacker attacks for hijacking user accounts.

Hacked Facebook applications could threaten the account security of Facebook's roughly 300 million users, posing a risk of identity theft and account hijacking. Hackers controlling accounts can then access a user's friends' accounts.

The security researcher who goes by the handle "the harmony guy" said on a website that "nearly any XSS vulnerability in a Facebook application allows a sort of cross-site request forgery in that one can use application credentials to make requests to the Facebook API."

This means the attacker can use the application to access Facebook user profiles and photos, even "send notifications to your profile, send notifications to other people (anonymously or from you) and post feed stories to your wall, all with links included," the researcher said on

Writing for the technology blog ReadWriteWeb, Sarah Perez reported that the Facebook application vulnerability exists on 9,700 apps, including six of the 10 most popular Facebook apps.

"With hacked apps, security vulnerabilities, lack of privacy policies and apps that can read your private profile information, one has to wonder if using any Facebook application is appropriate and safe these days," Perez wrote, in an article appearing on

No comments: