Facebook security flaw remotely controls accounts
No friend request required
SECURITY RESEARCHERS have found a glaring security fault with Facebook that allows the "remote control" of accounts.
Roger Thompson chief research officer at AVG revealed a Javascript injection attack that lures users by providing a link to a video, which it claims "99% of people can't watch". The link forwards users to another page that asks them to paste Javascript code into their browser's address bar.
Upon entering the code users are taken to another page that states that the user "likes" the video and adds a link to it in the user's Facebook status. Thompson says that it is the first such case his team are aware of in which Facebook accounts are remotely controlled.
The question is why does Facebook's supposedly secure and privacy aware site allow a relatively simple bit of Javascript code to alter a user's status and even take actions on behalf of the user?
According to Thompson, his team is unaware of what the payload of the attack is, meaning its true nature may not be as benign as first appearances. Nevertheless, Thompson states that the hack is already successful with over 600,000 users "liking" the video.
As for Facebook, this sort of disregard for security or privacy is merely par for the course. Until the firm sorts itself out, Thompson's advice is clear, do not enter code directly into the browser's address bar. µ
INQ Latest
Google is blocking some smaller Linux web browser from its services
Block to the future
The Pirate Bay launches its own streaming service called 'BayStream'
My bay or the highway
Amazon Echo Studio review
Firm's first high-end speaker gets the thumbs up from us
Boris Johnson could decriminalise BBC licence fee dodging
Those who escape fines will be very Jammy Dodgers
