Feeds

back to article Facebook summarily denies undeniable user-menacing security hole

Facebook's hip new application platform contains a gaping hole that allows attackers to run malicious javascript on unsuspecting users' machines, a developer has demonstrated. Proof of concept code examined by El Reg shows how the platform can be used to steal Facebook user's session identification cookies, deliver pop-up …

COMMENTS

This topic is closed for new posts.
Alert

I thought so...

After checking around, this seems accurate.

0
0
Pirate

I knew it!

That bitchy queen Zukerberg, needs to sit down, and fix his code! the whole thing is a MESS!

0
0
Thumb Down

Go Go Gadget exploit hole!

This is why you don't use the addons on places like that unless you can 'trust' them. Do you really need those 8 versions of "How hot am I" "Rate your freinds" "Add this application or a puppy dies"?

I'd say treat the applications you put on there as you'd treat giving out contact details, but we all know how well that usually goes.

One nice little hole that I've wondered about is the fact that the applications gain access to your information when you add them, a nice box saying:

"Know who I am and access my information"

Unticking this gives you:

"Granting access to information is required to add applications. If you are not willing to grant access to your information, do not add this application."

Why is the option there then?

http://developers.facebook.com/user_terms.php - Platform Application Terms of Use . I love section 2b. A Data Miner's wet Dream?

0
0
Paris Hilton

Say it ain't so...

Bitch?

I chose Paris because she'd say "That's not hot, bitch!"

0
0
Thumb Down

What do you expect.

Its written in PHP and MySQL, hardly known for secure applications or scalability. Its a power keg waiting for crap developers.

0
0
Bronze badge
Joke

And sane people...

...use FaceBook??

Why bother! It is probably much easier to stand on a street corner (or Hyde Park) and shout "LOOK AT ME".

0
0
Bronze badge

heh

"Security by obscurity" has now become "security by assertion". Facebook has asserted that the hole doesn't exist, therefore, it doesn't.

One wonders if they're even working on a fix, or if they're still so far up their own arse that they think Facebook is relevant.

0
0
Pirate

More - and sane people...

Right and besides Hyde Park is a lovely park, one of my favorite places in April but unfortunately not able to visit it often, FaceBook - no flowers, no spring rain, definitely no entertaining and funny people, no pub's near, .. Yes, if I have something to say, I will go to Hyde Park. Try it, you will love it! Next time I'm in London, hopefully in April, see you there and not in Internet. Besides, it's totally safe except of course from some, very good British humor, the comments are way better than what you see in Internet!

0
0
Boffin

@Chris Ellis

"Its written in PHP and MySQL, hardly known for secure applications or scalability"

I disagree... PHP and MySQL can be perfectly secure and scalable; it just depends on the talents of the programmer. I've seen loads of times when someone has used a module or application from a third party without properly checking it and thus exposing gaping security holes...

I'm not saying that what I write is perfect, but a company I used to work for thought that putting the admin pages in /admin/ without any password checking was OK ("it's not linked-to so no-one will know it's there")... they worked in ASP.

What you're saying is akin to "this book is rubbish because it was written on a mac"... it may be true that it was written on a mac, but it's the (lack of) talent of the author that you should be criticising!

0
0

@ Herby

I think that comment relates more to MySpace, not Facebook...

0
0
Flame

RE:What do you expect

"Its written in PHP and MySQL, hardly known for secure applications or scalability. Its a power keg waiting for crap developers."

Yeah, because ASP applications are 100% secure...

0
0

...and sane people

But.....it's more obvious if you just wander out of the office during working hours to randomly go visit Hyde Park during a compile.....

...I really should try that though:

"Where are you??"

"Hyde Park"

"Why? Your supposed to be working?"

"My...code is compiling?"

0
0
Bronze badge
Coat

almost forgot

I assert that this coat is mine.

0
0
Thumb Down

@ What do you expect

Riiiiiight, because there arent crap developers in other languages/DB's..

0
0
Bronze badge
Coat

@yeah, right

"security by assertion" is a long standing tradition of clueless coders, who write 95% of software out there. I was tempted to cite an example from Microsoft's own MFC library (probably the most popular library ever used by Windows programmers), but resisted. There are just too many assertions that make no sense.

0
0
Anonymous Coward

After reading this...

... I'm glad that I don't allow FB apps on my profile. It looks boring as f, but at least security issues are not a problem. Really. Honest.

And of course my email to FB pointing to this article and telling them to get their finger out of their backsides and do something about it instead of disclaiming it.

:-)

0
0

Fixed?

Visiting that page I get:

The bug is fixed :)

0
0

Good

Well, if this vulnerability allows allows for profiles to be deleted, I am all for it. I had a FB account for a few weeks, thought it was utterly useless, and tried to close it down. I found out that you could only make it "dormant", as opposed to be able to dlelete the whole thing. So I hope someone will inject the malicious code into my "dormant" profile.

As for PHP & MySQL, if it's good enough for EL REG to run WordPress, then it's good enough for me :-)

0
0
Boffin

Re PSP mySQL ASP comments

Far too high level: try a bit lower

Failure to parse for script is on a par with not handling

OR '' = ''

0
0
This topic is closed for new posts.