I thought so...
After checking around, this seems accurate.
I knew it!
That bitchy queen Zukerberg, needs to sit down, and fix his code! the whole thing is a MESS!
Go Go Gadget exploit hole!
This is why you don't use the addons on places like that unless you can 'trust' them. Do you really need those 8 versions of "How hot am I" "Rate your freinds" "Add this application or a puppy dies"?
I'd say treat the applications you put on there as you'd treat giving out contact details, but we all know how well that usually goes.
One nice little hole that I've wondered about is the fact that the applications gain access to your information when you add them, a nice box saying:
"Know who I am and access my information"
Unticking this gives you:
"Granting access to information is required to add applications. If you are not willing to grant access to your information, do not add this application."
Why is the option there then?
Say it ain't so...
I chose Paris because she'd say "That's not hot, bitch!"
What do you expect.
Its written in PHP and MySQL, hardly known for secure applications or scalability. Its a power keg waiting for crap developers.
And sane people...
Why bother! It is probably much easier to stand on a street corner (or Hyde Park) and shout "LOOK AT ME".
"Security by obscurity" has now become "security by assertion". Facebook has asserted that the hole doesn't exist, therefore, it doesn't.
One wonders if they're even working on a fix, or if they're still so far up their own arse that they think Facebook is relevant.
More - and sane people...
Right and besides Hyde Park is a lovely park, one of my favorite places in April but unfortunately not able to visit it often, FaceBook - no flowers, no spring rain, definitely no entertaining and funny people, no pub's near, .. Yes, if I have something to say, I will go to Hyde Park. Try it, you will love it! Next time I'm in London, hopefully in April, see you there and not in Internet. Besides, it's totally safe except of course from some, very good British humor, the comments are way better than what you see in Internet!
"Its written in PHP and MySQL, hardly known for secure applications or scalability"
I disagree... PHP and MySQL can be perfectly secure and scalable; it just depends on the talents of the programmer. I've seen loads of times when someone has used a module or application from a third party without properly checking it and thus exposing gaping security holes...
I'm not saying that what I write is perfect, but a company I used to work for thought that putting the admin pages in /admin/ without any password checking was OK ("it's not linked-to so no-one will know it's there")... they worked in ASP.
What you're saying is akin to "this book is rubbish because it was written on a mac"... it may be true that it was written on a mac, but it's the (lack of) talent of the author that you should be criticising!
I think that comment relates more to MySpace, not Facebook...
RE:What do you expect
"Its written in PHP and MySQL, hardly known for secure applications or scalability. Its a power keg waiting for crap developers."
Yeah, because ASP applications are 100% secure...
...and sane people
But.....it's more obvious if you just wander out of the office during working hours to randomly go visit Hyde Park during a compile.....
...I really should try that though:
"Where are you??"
"Why? Your supposed to be working?"
"My...code is compiling?"
I assert that this coat is mine.
@ What do you expect
Riiiiiight, because there arent crap developers in other languages/DB's..
"security by assertion" is a long standing tradition of clueless coders, who write 95% of software out there. I was tempted to cite an example from Microsoft's own MFC library (probably the most popular library ever used by Windows programmers), but resisted. There are just too many assertions that make no sense.
After reading this...
... I'm glad that I don't allow FB apps on my profile. It looks boring as f, but at least security issues are not a problem. Really. Honest.
And of course my email to FB pointing to this article and telling them to get their finger out of their backsides and do something about it instead of disclaiming it.
Visiting that page I get:
The bug is fixed :)
Well, if this vulnerability allows allows for profiles to be deleted, I am all for it. I had a FB account for a few weeks, thought it was utterly useless, and tried to close it down. I found out that you could only make it "dormant", as opposed to be able to dlelete the whole thing. So I hope someone will inject the malicious code into my "dormant" profile.
As for PHP & MySQL, if it's good enough for EL REG to run WordPress, then it's good enough for me :-)
Re PSP mySQL ASP comments
Far too high level: try a bit lower
Failure to parse for script is on a par with not handling
OR '' = ''