Facebook Bug Lets Hackers Delete Friends 89
swandives writes "There's lot of talk about Facebook and privacy at the moment, but a bug in Facebook's website lets hackers delete Facebook friends without permission. Steven Abbagnaro, a student from Marist College in Poughkeepsie, New York, reported the flaw, writing proof-of-concept code that scrapes publicly available data from users' Facebook pages and deletes all of their friends, one by one. The victim first has to click on a malicious link while logged into Facebook. Abbagnaro's code exploits the same underlying flaw that was first reported by Alert Logic security analyst M.J. Keith who discovered a cross-site request forgery bug, where the website doesn't properly check code sent by users' browsers to ensure that they were authorized to make changes on the site."
a self-copying worm code (Score:4, Interesting)
The article seems to be directed at facebook, but it sounds to me like there needs to be a browser or OS exploit first in order to work: "combine an exploit for this bug with spam or even a self-copying worm code". I'm not a facebook user (get off my lawn), but a lot of XSS flaws are browser specific and if there is a general browser exploit going on, this could affect more websites than facebook. TFA just sounds a little misdirected to me.
Bug condition: (Score:2, Interesting)
After the bug deletes all your friends... Tom is added.
He was feeling all left out when everyone left myspace.
Re:Social networking sucks (Score:3, Interesting)
You're missing the point because that isn't the reality of using facebook.
In the default mode, your front page is now full of the most verbose idiots literally broadcasting what they had for dinner.
No. I don't think he was missing the point. You can remove anyone and any application from your "feed". If you really think the people, who you added as friends, are "verbose idiots" and they are literally broadcasting what they had for dinner, then why not just remove them? Or you could just not add them in the first place? You have the choice to cease being friends with people or to not become friends with them, just as you do in real life. If you felt obligated to add them as a new user and are now scared to remove them, then it sucks to be you. If you befriended someone in real life and they kept ringing you up to tell you that they just bought some new fish and that they were about to eat McDonalds, then go and see a movie, would you sell up and move to a shack in the woods?
Finally you delete your account, because facebook is a horrible ad ridden, malware invested fad, and it's dying. Or at least becoming a zombie.
"Ad ridden"? Not noticed. There are no, or very few, obnoxious ads on there that I've seen. The ones that I have seen are text ads with no/very small pictures and all seem to be vaguely relevant and unobtrusive, and you even have the option to click on specific ads if you think they're inappropriate, or irrelevant etc. (I forget the exact options) to get rid of them. As for malware, again, not that I've noticed.
Your main gripe would seem to be that Facebook is a "social networking" site and that you have no interest in being social, nor in networking. The second gripe regarding "malware" is either imaginary, or a product of your befriending of mouth-breathers...who you don't like. As for the "ad ridden" part...that's either made up, or ad-block is removing all the ads for me. (inb4 YHBT)
Re:Social networking sucks (Score:1, Interesting)
The second gripe regarding "malware" is either imaginary, or a product of your befriending of mouth-breathers...who you don't like.
During the peak of the Facebook app craze, I came upon an application that I decided not to add because the EULA sounded even more dodgy than usual Facebook apps go. The license text was seemingly copied from somewhere else and slapped onto the web app regardless of the context. I felt smug when I read the news [net-security.org] that the application vendor was banned for distributing malware disguised as the full version of their bait Facebook app.