Communications of the ACM
Informatics Students Discover, Alert Facebook to Threat Allowing Access to Private Data, Bogus Messaging
University of Indiana
Facebook has repaired a security vulnerability discovered by Indiana University doctoral students Rui Wang and Zhou Li, which allowed malicious Web sites to find a visitor's real name, access their private data, and post misinformation.
The vulnerability took place when a user gave Facebook permission to share information with other Web sites. Whenever a site makes such a request to Facebook via the user's browser, Facebook passes a random string called an authentication token back to the requester for identification. Facebook recognizes the holder of that token as a legitimate Web site and provides unblocked access to the shared data.
"Basically, any user with a valid Facebook session loses anonymity and privacy to any Web site, even one with embarrassing or sensitive content," Wang says. Li says that "our attack utilized a feature of Adobe Flash called unpredictable communication, and an important distinction between an unpredictable communication and a normal communication is that the former is done through a connection where the name starts with an underscore symbol."
From Indiana University
View Full Article
No entries found