Facebook Bug Lets Hackers Delete Friends 89
Posted
by
timothy
from the friends-don't-let-friends dept.
from the friends-don't-let-friends dept.
swandives writes "There's lot of talk about Facebook and privacy at the moment, but a bug in Facebook's website lets hackers delete Facebook friends without permission. Steven Abbagnaro, a student from Marist College in Poughkeepsie, New York, reported the flaw, writing proof-of-concept code that scrapes publicly available data from users' Facebook pages and deletes all of their friends, one by one. The victim first has to click on a malicious link while logged into Facebook. Abbagnaro's code exploits the same underlying flaw that was first reported by Alert Logic security analyst M.J. Keith who discovered a cross-site request forgery bug, where the website doesn't properly check code sent by users' browsers to ensure that they were authorized to make changes on the site."
Social networking sucks (Score:5, Insightful)
I deleted my Facebook account a week or so ago, and I was, at the time, hoping that diaspora would end up being something besides vaporware. After a week without it, though, I find myself pleased with my lack of knowledge about what people I didn't like in high school had for dinner.
Re:Social networking sucks (Score:4, Insightful)
And since Facebook only notifies you of "good" new (Score:3, Insightful)
At last an easy way to... (Score:2, Insightful)
Re:Social networking sucks (Score:4, Insightful)
Re:Social networking sucks (Score:5, Insightful)
Just to give you a word of support - ignore the people saying it's your fault for who you accepted as a friend. The problem is that it's easy to say "yes, this person is my friend", even if they are somebody marginal who you never particularly cared for (it's easy to click "Ignore" for evil ex-girlfriends and the real assholes from high school). But it's very hard to rethink that and unfriend them in such a public forum later on, and have to deal with awkward questions about why you unfriended so-and-so. However, that is what Facebook made the "hide this person's updates" feature for - when somebody isn't egregiously awful enough to unfriend, but you just don't want to see their bullshit updates anymore.
In any case, I didn't actually delete my Facebook account, but I have cleared out any information but the absolute basics. And I began an experiment by avoiding logging into Facebook for a week. I found that I rapidly reverted to visiting other websites and finding other things online to fill my down time at work.
I believe the reason Facebook is so addictive is the feed mechanism. It fills our psychological need for gossip and trivial sorts of information about friends. However, like many addictive things, I think too much of a "good" thing (and by good thing, I mean it's fun, enjoyable, makes us feel connected) is no longer a good thing. While I want to know when old friends go back to grad school, get engaged, married, or have their first kids, I don't really want to hear somebody's snarky comments about their workplace, read about their lost cell phone, hear about how they just bought an iPad and it's changed their lives, or read about their drunken escapades.
So the point - I agree with you, and I think we are both going to be happier, with cleaner, fresher, less cluttered minds for turning our backs on this inane distracting chatter. Saying "I'm Facebook friends with them" has become synonymous with "they are somebody I know but don't really give enough of a shit about to keep up with in real life".
Re:This is not a bug (Score:3, Insightful)
Everything today is "a feature". Real tired to hear these "problems" - not really problems but laziness, ignorance, whatever by developers / designers! Yes, the base, the standards, the tools, and so on are flawed but nothing says the systems have to be coded that way, allowing all the security and other problems. I have tried a long time to defend the developers - it wasn't their problem that that their tools, toys, systems, etc were bad but after so long - anyone anymore creating systems with these flaws is to blame!
This is really getting out of hand - why would anyone build systems which allow these problems, cross-site without checking, whatever - on purpose? Sorry, after 30+ years designing / creating safe systems for global mission critical operations, public safety, etc - I just can't understand!! Yes - sometimes it means fighting the management and even customer but why would anyone do it - every time it comes back haunting you, badly! What has happened to separation of presentation, processing, authentication, authorization, etc?? The basic rules in safe computing! Or did your vendor licensing book forget to tell you about the bad and ugly world outside the door? If so - why not start thinking yourself?
Re:Social networking sucks (Score:5, Insightful)
You're missing the point because that isn't the reality of using facebook.
What actually happens is that when you first signed up, you naively used your real name. Then loads of people from your past, who you couldn't give two shits about, inexplicably add you.
As a new user you aren't going to press ignore, so you confirm everyone.
In the default mode, your front page is now full of the most verbose idiots literally broadcasting what they had for dinner.
Finally you delete your account, because facebook is a horrible ad ridden, malware invested fad, and it's dying. Or at least becoming a zombie.
No Mother-in-law (Score:4, Insightful)
Re:a self-copying worm code (Score:2, Insightful)
It is not XSS, but CSRF. Cross-site request forgery. Such exploits are designed to exploid the way site processes user inputs. If site uses custom forms or request fields, exploit will work only on this site and in most of the cases it is not specific to some browser.
Re:Social networking sucks (Score:3, Insightful)
PEBKAC