The Inquirer-Home
Software

Facebook security flaw remotely controls accounts

No friend request required
By Lawrence Latif
Wed Jul 07 2010, 15:46

SECURITY RESEARCHERS have found a glaring security fault with Facebook that allows the "remote control" of accounts.

Roger Thompson chief research officer at AVG revealed a Javascript injection attack that lures users by providing a link to a video, which it claims "99% of people can't watch". The link forwards users to another page that asks them to paste Javascript code into their browser's address bar.

Upon entering the code users are taken to another page that states that the user "likes" the video and adds a link to it in the user's Facebook status. Thompson says that it is the first such case his team are aware of in which Facebook accounts are remotely controlled.

The question is why does Facebook's supposedly secure and privacy aware site allow a relatively simple bit of Javascript code to alter a user's status and even take actions on behalf of the user?

According to Thompson, his team is unaware of what the payload of the attack is, meaning its true nature may not be as benign as first appearances. Nevertheless, Thompson states that the hack is already successful with over 600,000 users "liking" the video.

As for Facebook, this sort of disregard for security or privacy is merely par for the course. Until the firm sorts itself out, Thompson's advice is clear, do not enter code directly into the browser's address bar. µ

Share this:

< Previous article| Next article >
Comments
I don't get it

I have to agree with the others. Thought I hate facebook too, I fail to see how this is a flaw in their security. Javascript code executed from the address bar can't be distinguished from code that you programmed in yourself. If people are dumb enough to copy and paste code into their address bar, then they deserve to "like" the video. Quite frankly, that should be about the least of their concerns.

posted by : imposter, 07 July 2010 Complain about this comment
fire Ben Ling

This is obviously a built in flaw left behind by Ben Ling before he moved onto google where he singlehandedly destroyed google news.

posted by : mogwai, 07 July 2010 Complain about this comment
What a joke

How is this a vulnerability in Facebook? If you tell a user, "please execute this code", and they do it, there is nothin
g that can be done of that short of euthanising him or her. If you make a website that asked users to put cmd /c "del *.*" into their Start- Run box, would that be a the fault of the incompetent assholes at Microsoft, who clearly cannot cod
e their way out of a paper bag and are worth of a derisive "this sort of disregard for security or privacy is merely par for the course"?

posted by : JoeyG, 07 July 2010 Complain about this comment
Call me Strange

I have had computers since the VIC 20 and build my own gaming rigs but fail to see why anyone would want to use Facebook, don't have a tracking device (cell phone) either. My home phone has a answering machine, I will get back to you when it is convenient for me.

posted by : Regulas, 07 July 2010 Complain about this comment
aboutus
Advertisement
Subscribe to INQ newsletters
Click here to sign up
INQ White papers

Databases

Network management

Security

Service oriented architecture

Storage
Advertisement
INQ Jobs
INQ Poll

Facebook starts selling shares

Will you buy Facebook shares?

View other polls
Follow us:
Business & Technology websites:
Business research resources:
Products:
Investment Market IT websites:
Find out what you are worth:
Search for a job:
Recruitment Agency A-Z Directory
Accreditations: