Ronen Zilberman said that to be infected, a user must merely open a non-related website, ideally an online forum, where the attacker has seeded a malicious image tag link. If successful, the perpetrator could evade privacy settings and retrieve victims' full names, profile pictures and friend's lists.He described the cross-site request forgery (CSRF) vulnerability -- which Facebook has since fixed -- on his Quaji blog. Much of the blame for the bug rests on a site feature known as "Automatic Authentication", Zilberman said. This component allows Facebook applications to receive personal information about a user when he or she visits the application's "canvas page."But Zilberman found a way for the hacker to receive that same information without the user knowingly interacting with any application. He was able to embed an IMG tag on a third-party website. If a user visited the site, Facebook would believe the user was actually interacting with the application, and thus the attacker could receive the data."We need a way to trick Facebook into (thinking) the app page it is (clandestinely) accessing is a result of the user's interaction," he said. "It turns out that a simple redirect from one page to another in the same application fools Facebook because the second request originates from a Facebook URL (the first request). Therefore, the second request activates 'Automatic Authentication' and personal info is sent."Facebook has fixed the problem, but Zilberman said the issue could be present across other social networking sites."Our team pushed a fix for this bug on Monday, shortly after it was reported to us, and before the details were made public," Facebook spokesman Simon Axten told SCMagazineUS.com. "The information exposed was very limited and included only the user's name, Facebook user ID, profile picture, and list of friends. User privacy settings were also respected. That is, if you had hidden certain information from platform applications, that information was still inaccessible. We have no evidence that the bug was ever used for malicious purposes."See original article on scmagazineus.com
Copyright © SC Magazine, US edition
Processing registration... Please wait.
This process can take up to a minute to complete.
A confirmation email has been sent to your email address - SUPPLIED GOES EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @itnews.com.au to your white-listed senders.