Facebook application security hole exposes millions to hacking, researcher says
Monday, October 19, 2009
A security researcher is warning Facebook users about potential vulnerabilities in Facebook applications that could allow cross-site scripting (XSS) hacker attacks for hijacking user accounts.
Hacked Facebook applications could threaten the account security of Facebook's roughly 300 million users, posing a risk of identity theft and account hijacking. Hackers controlling accounts can then access a user's friends' accounts.
The security researcher who goes by the handle "the harmony guy" said on a website that "nearly any XSS vulnerability in a Facebook application allows a sort of cross-site request forgery in that one can use application credentials to make requests to the Facebook API."
This means the attacker can use the application to access Facebook user profiles and photos, even "send notifications to your profile, send notifications to other people (anonymously or from you) and post feed stories to your wall, all with links included," the researcher said on theharmonyguy.com.
Writing for the technology blog ReadWriteWeb, Sarah Perez reported that the Facebook application vulnerability exists on 9,700 apps, including six of the 10 most popular Facebook apps.
"With hacked apps, security vulnerabilities, lack of privacy policies and apps that can read your private profile information, one has to wonder if using any Facebook application is appropriate and safe these days," Perez wrote, in an article appearing on NYTimes.com
Related News:
Threat of identity theft shows need for online security - 11.19.2009
As Americans live increasingly large portions of their lives on the internet, the possibilities and incentives for remote identity theft increase as well. A report in the New York Times advises caution, and gives tips for constructing an "online bulwark" to prevent theft and fraud.
Wi-Fi network security vulnerable to man-in-the-middle attacks on smart phones - 11.16.2009
Researchers last week revealed a weakness in mobile network security that could allow for so-called "man-in-the-middle" techniques to steal personal information from users of certain types of mobile phones.
FDIC warns banks of money transfer 'mules' duped by cybercriminals - 11.2.2009
In a new warning to banks about illicit electronic fund transfers, the Federal Deposit Insurance Corporation (FDIC) said last week that online bank account theft is rising using "money mules," unwitting job-seekers who are duped by cyber crooks into wiring funds from hacked bank accounts.
Obama addresses cybersecurity awareness in YouTube video - 10.21.2009
Online cyber attacks and identity theft have never been higher, a threat environment that challenges U.S. security every day. President Obama has designated October as National Cybersecurity Awareness Month, which he addressed in a web video last week.
Hotmail passwords likely hacked, not phished, security researcher says - 10.13.2009
Microsoft said a phishing scam was the likely culprit behind last week's exposure of 30,000 email passwords from Windows Live Hotmail, Gmail and other webmail accounts. But a security researcher says the passwords were likely pilfered using data-stealing malware.
|
