acm-header
Sign In

Communications of the ACM

ACM TechNews

Informatics Students Discover, Alert Facebook to Threat Allowing Access to Private Data, Bogus Messaging


View as: Print Mobile App Share:
Rui Wang and Zhou Li

University of Indiana

Facebook has repaired a security vulnerability discovered by Indiana University doctoral students Rui Wang and Zhou Li, which allowed malicious Web sites to find a visitor's real name, access their private data, and post misinformation.

The vulnerability took place when a user gave Facebook permission to share information with other Web sites. Whenever a site makes such a request to Facebook via the user's browser, Facebook passes a random string called an authentication token back to the requester for identification. Facebook recognizes the holder of that token as a legitimate Web site and provides unblocked access to the shared data.

"Basically, any user with a valid Facebook session loses anonymity and privacy to any Web site, even one with embarrassing or sensitive content," Wang says. Li says that "our attack utilized a feature of Adobe Flash called unpredictable communication, and an important distinction between an unpredictable communication and a normal communication is that the former is done through a connection where the name starts with an underscore symbol."

From Indiana University
View Full Article

 

Abstracts Copyright © 2011 Information Inc. External Link, Bethesda, Maryland, USA


 

No entries found

Sign In for Full Access
» Forgot Password? » Create an ACM Web Account