Facebook Bug Lets Hackers Delete Friends - Slashdot

Slashdot

Facebook Bug Lets Hackers Delete Friends 89

Posted by timothy on Monday May 24 2010, @06:33AM
from the friends-don't-let-friends dept.

swandives writes "There's lot of talk about Facebook and privacy at the moment, but a bug in Facebook's website lets hackers delete Facebook friends without permission. Steven Abbagnaro, a student from Marist College in Poughkeepsie, New York, reported the flaw, writing proof-of-concept code that scrapes publicly available data from users' Facebook pages and deletes all of their friends, one by one. The victim first has to click on a malicious link while logged into Facebook. Abbagnaro's code exploits the same underlying flaw that was first reported by Alert Logic security analyst M.J. Keith who discovered a cross-site request forgery bug, where the website doesn't properly check code sent by users' browsers to ensure that they were authorized to make changes on the site."

This discussion has been archived. No new comments can be posted.

Facebook Bug Lets Hackers Delete Friends

Search 89 Comments Log In/Create an Account

Comments Filter:

Re:Raising false hopes (Score:5, Informative)

by MichaelSmith (789609) writes: on Monday May 24 2010, @06:42AM (#32321460) Homepage Journal

They're a bunch of spoil sports:
5/11/2010 – Facebook notified of vulnerability
5/13/2010 – Work begins with Facebook to patch flaw.
5/14/2010 – Facebook confirms flaw is patched.
5/24/2010 – Post on slashdot.

Parent Share
twitter facebook
Re:Raising false hopes (Score:2, Informative)

by buchner.johannes (1139593) writes: on Monday May 24 2010, @06:43AM (#32321470) Homepage Journal

You can send them a link to http://www.quitfacebookday.com/ [quitfacebookday.com]

Parent Share
twitter facebook
Patched already (Score:4, Informative)

by wannabgeek (323414) writes: on Monday May 24 2010, @06:50AM (#32321500) Journal

The CSRF bug page in the summary says that facebook confirmed that it's patched already. And the actual hacker's page [prominentsecurity.com] says that he found if he does a little more (delete a few more parameters as well as the "post_form_id"), the CSRF resurfaces.
Anyway, he posted an update saying fb patched this one now (22 May)..

Share
twitter facebook
Re:GOOD I'VE GOT A FEW FRIENDS I DON'T NEED ANYMOR (Score:1, Informative)

by Anonymous Coward writes: on Monday May 24 2010, @06:50AM (#32321504)

It's not PHP's fudemental flaw that deletes your facebook friends, it's the programmer's bad authentification design.

Parent Share
twitter facebook

There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.

Related Links Top of the: day, week, month.

477 commentsYour Passwords Don't Suck — It's Your Policies
418 commentsFBI Says American Universities Infiltrated by Spies
391 commentsAdobe Introduces the Paid Security Fix
343 commentsSymantec: Religious Sites "Riskier Than Porn For Viruses"
333 commentsOsama Bin Laden Didn't Encrypt His Files

Arguments are extremely vulgar, for everyone in good society holds exactly the same opinion. -- Oscar Wilde