CNET has a short piece up about a number of security vulnerabilities on Facebook that have recently been demonstrated by researchers — and they’re more serious than the notion that some random employee there might check out your profile. In fact, one of these vulnerabilities make it possible for some random hacker to use Facebook in order to check out not just your profile, but you.
[Researcher Nitesh] Dhanjani and Israeli security researcher Shlomi Narkolayev said attackers could use clickjacking attacks to hijack Facebook accounts by tricking users into clicking on sites hiding malicious code. A Web site that looks like an e-commerce site or that shows videos could hide a Facebook log-in page behind it so that when a user clicks on the site to play a video, for instance, the user’s account is opened instead behind the scenes, without the user realizing it.“Using ClickJacking I also could fool users to click whatever I want: adding me as their friend, delete their account, and even open their camera and microphone using flash (Older versions then 10.x), or install Facebook applications that post their Web camera and microphone every time they connected to Facebook,” Narkolayev wrote on his blog. He demonstrates an example of an attack in a video on his site and acknowledges that other sites are vulnerable to this type of attack, as well.
The article also mentions a change to the way third-party apps can work on Facebook: apparently in order to increase the number of apps in use on the site, Facebook has allowed app writers to use an “implicit authorization” method, so that the app doesn’t have to ask you whether you want to allow it access to your profile information. Facebook spokesman Simon Axten says that these apps can only access information you have set to be visible to everyone on the Internet.
