Facebook bug that allows personal data access, phishing repaired
Washington, Feb 6 (ANI): A Facebook security threat that would allow anyone to access your personal data has been repaired by the company.
The vulnerability was discovered by Rui Wang and Zhou Li. It enabled malicious websites to impersonate legitimate websites, and then obtain the same data access permissions on Facebook that those legitimate websites had received.
The bug occurred when a user informed Facebook of his or her willingness to share information with popular websites like ESPN.com or YouTube.
When such a request is made, Facebook passes a secret random string called an authentication token back to the requestor for identification. Whoever holds that authentication token can convince Facebook that they are, say, ESPN.com, thereby gaining unlimited access.
"Researchers at Indiana University reported a vulnerability in our Platform code to us, and we worked quickly with them to resolve it. It was fixed shortly after it was reported. We're not aware of any cases in which it was used maliciously," the statement said.
"We thank the researchers at Indiana University for bringing this to our attention, and for demonstrating the value of responsible disclosure."
The researchers identified a flaw in the way the token was transmitted using two Flash objects: one inside Facebook's iframe passes the token to the second, which in this case would be embedded at ESPN.com.
The transfer mode can be selected through "transport='flash'" with the security guarantee being that both flash objects are supposed to come from the same domain (i.e., Facebook) before they can talk.
The researchers found, however, that such a same-domain assumption is not always valid because Adobe Flash allows cross-domain communication with an unpredictable domain name that is prepended by an underscore symbol in the connection name.
"This vulnerability has several implications. Basically, any user with a valid Facebook session loses anonymity and privacy to any website, even one with embarrassing or sensitive content," Wang said.
"Our attack utilized a feature of Adobe Flash called unpredictable communication, and an important distinction between an unpredictable communication and a normal communication is that the former is done through a connection where the name starts with an underscore symbol," Li said.
"Therefore, Facebook could check for this symbol to determine if a potentially malicious website tries to do unpredictable communication."
Facebook officials noted that a contact form at both the Facebook Help Center and from the "Whitehats" tab on the Facebook Security Page are available in the rare instances in which vulnerabilities are found. (ANI)
-
India vs New Zealand T20 World Cup 2026 Final: Five Positive Signs Favouring India Before Title Clash -
IND vs NZ Final Live: When and Where to Watch India vs New Zealand T20 World Cup 2026 Title Clash -
Ind vs NZ T20 World Cup 2026: New Zealand Needs 256 Runs To Beat India And Win The World Cup -
UAE Attacks Iran, Becomes 5th Nation To Enter War; Reports Suggest Strike On Iranian Facility -
ICC T20 World Cup 2026 Final: Ricky Martin, Falguni Pathak To Perform At Closing Ceremony, How To Watch -
Who Is Nishant Kumar: Education, Personal Life and Possible Political Role -
IND vs NZ T20 WC Final: New Zealand Win Toss, Opt To Chase; Why Batting First Could Be A Tough Call For India -
Gold Rate Today 8 March 2026: IBJA Issues Fresh Gold Rates; Tanishq, Malabar, Kalyan, Joyalukkas Prices -
From Kerala Boy To World Cup Hero: Sanju Samson’s 89-Run Blitz, His Birth, Religion, Wife And Inspiring Story -
Hyderabad Gold Silver Rate Today, 8 March, 2026: Latest Gold Prices And Silver Rate In Nizam City -
Panauti Stadium? Is Narendra Modi Stadium an Unlucky Venue for India National Cricket Team? -
Storm Over West Bengal Govt's 'Snub' To President Droupadi Murmu
Click it and Unblock the Notifications
Sign in with Google