Forgot your password?
typodupeerror
Bug Security Social Networks IT

Facebook Bug Lets Hackers Delete Friends 89

Posted by timothy
from the friends-don't-let-friends dept.
swandives writes "There's lot of talk about Facebook and privacy at the moment, but a bug in Facebook's website lets hackers delete Facebook friends without permission. Steven Abbagnaro, a student from Marist College in Poughkeepsie, New York, reported the flaw, writing proof-of-concept code that scrapes publicly available data from users' Facebook pages and deletes all of their friends, one by one. The victim first has to click on a malicious link while logged into Facebook. Abbagnaro's code exploits the same underlying flaw that was first reported by Alert Logic security analyst M.J. Keith who discovered a cross-site request forgery bug, where the website doesn't properly check code sent by users' browsers to ensure that they were authorized to make changes on the site."
This discussion has been archived. No new comments can be posted.

Facebook Bug Lets Hackers Delete Friends

Comments Filter:
  • by Anonymous Coward

    How soon can I get them out of the picture, if you know what I mean.

  • by Anonymous Coward on Monday May 24, 2010 @05:37AM (#32321428)

    "It's a feature."

    • Re: (Score:3, Insightful)

      by tuomoks (246421)

      Everything today is "a feature". Real tired to hear these "problems" - not really problems but laziness, ignorance, whatever by developers / designers! Yes, the base, the standards, the tools, and so on are flawed but nothing says the systems have to be coded that way, allowing all the security and other problems. I have tried a long time to defend the developers - it wasn't their problem that that their tools, toys, systems, etc were bad but after so long - anyone anymore creating systems with these flaws

  • by Thanshin (1188877) on Monday May 24, 2010 @05:38AM (#32321440)

    In case you didn't RTFA, you can only delete the link between your facebook accounts, not the friends themselves.

    And so dies our intricate plan to befriend our enemies and erase them from existance.

    • by MichaelSmith (789609) on Monday May 24, 2010 @05:42AM (#32321460) Homepage Journal

      They're a bunch of spoil sports:

      5/11/2010 – Facebook notified of vulnerability
      5/13/2010 – Work begins with Facebook to patch flaw.
      5/14/2010 – Facebook confirms flaw is patched.

      5/24/2010 – Post on slashdot.

      • by Thanshin (1188877) on Monday May 24, 2010 @05:52AM (#32321510)

        They're a bunch of spoil sports:
        5/11/2010 - Facebook notified of vulnerability
        5/13/2010 - Work begins with Facebook to patch flaw.
        5/14/2010 - Facebook confirms flaw is patched.

        5/24/2010 - Post on slashdot.

        5/28/2010 - Dupe post on Slashdot.
        6/15/2010 - Trupe post on Slashdot.
        6/15/2010 - AskSlashdot question about whether dupe+1 = trupe or redupe. Links to original post.
        6/15/2010 - Slashdot is slashdotted, creating a singular paradox.
        5/24/2010 - The end of the world as we know it.

        • Re: (Score:1, Flamebait)

          by JohnHegarty (453016)

          12/21/2012 - The end of the world as we know it.

          ^ FYP

        • Re: (Score:2, Funny)

          by Zebaulon (534793)

          5/28/2010 - Dupe post on Slashdot.
          6/15/2010 - Trupe post on Slashdot.
          6/15/2010 - AskSlashdot question about whether dupe+1 = trupe or redupe. Links to original post.
          6/15/2010 - Slashdot is slashdotted, creating a singular paradox.
          5/24/2010 - The end of the world as we know it.

          And I feel fine.

        • by Hatta (162192)

          5/28/2010 - Dupe post on Slashdot.
          6/15/2010 - Trupe post on Slashdot.

          If "dupe" derives from "duplicate", shouldn't we derive "tripe" from "triplicate"?

          • by Thanshin (1188877)

            If "dupe" derives from "duplicate", shouldn't we derive "tripe" from "triplicate"?

            Whatever you do, don't AskSlashdot about that, linking to the original article.

            I don't think I'm the prophet of the apocalypse, but you can never be sure.

    • Re: (Score:2, Informative)

      You can send them a link to http://www.quitfacebookday.com/ [quitfacebookday.com]

  • by Anonymous Coward on Monday May 24, 2010 @05:41AM (#32321452)
    It was ... the hackers ... yes, that's it, it was the hackers that must have made everyone defriend me.
  • by asherlev (2499) <jeffreyd@gma[ ]com ['il.' in gap]> on Monday May 24, 2010 @05:44AM (#32321474)

    I deleted my Facebook account a week or so ago, and I was, at the time, hoping that diaspora would end up being something besides vaporware. After a week without it, though, I find myself pleased with my lack of knowledge about what people I didn't like in high school had for dinner.

    • by AmonTheMetalhead (1277044) on Monday May 24, 2010 @06:05AM (#32321556)
      Why did you befriend them if you don't like them?
    • Blaming facebook for your friend choices. Classy.
      • by sakdoctor (1087155) on Monday May 24, 2010 @07:52AM (#32322116) Homepage

        You're missing the point because that isn't the reality of using facebook.

        What actually happens is that when you first signed up, you naively used your real name. Then loads of people from your past, who you couldn't give two shits about, inexplicably add you.
        As a new user you aren't going to press ignore, so you confirm everyone.

        In the default mode, your front page is now full of the most verbose idiots literally broadcasting what they had for dinner.

        Finally you delete your account, because facebook is a horrible ad ridden, malware invested fad, and it's dying. Or at least becoming a zombie.

        • Re: (Score:3, Interesting)

          You're missing the point because that isn't the reality of using facebook.

          In the default mode, your front page is now full of the most verbose idiots literally broadcasting what they had for dinner.

          No. I don't think he was missing the point. You can remove anyone and any application from your "feed". If you really think the people, who you added as friends, are "verbose idiots" and they are literally broadcasting what they had for dinner, then why not just remove them? Or you could just not add them in the first place? You have the choice to cease being friends with people or to not become friends with them, just as you do in real life. If you felt obligated to add them as a new user and are now scare

          • Re: (Score:1, Interesting)

            by Anonymous Coward

            The second gripe regarding "malware" is either imaginary, or a product of your befriending of mouth-breathers...who you don't like.

            During the peak of the Facebook app craze, I came upon an application that I decided not to add because the EULA sounded even more dodgy than usual Facebook apps go. The license text was seemingly copied from somewhere else and slapped onto the web app regardless of the context. I felt smug when I read the news [net-security.org] that the application vendor was banned for distributing malware disguised as the full version of their bait Facebook app.

          • Your main gripe would seem to be that Facebook is a "social networking" site and that you have no interest in being social, nor in networking.

            In my case, that is exactly and literally true. I have a limited number of friends in "meatspace" who are sufficient for me to maintain a status of human being, and that's the way I like it. I have no interest in being prodded or poked as a substitute for genuine interaction.

            [Dons curmudgeonly hat] There was a time (not so long ago in my memory, but probably pri
            • by ClintJCL (264898)
              I don't think it was the communication you missed. A message is a message regardless of medium. Books are not the smell and feel of the pages; music is not the sound of a needle on a record. You miss your old-fashioned aesthetic.
              • A message is a message regardless of medium... You miss your old-fashioned aesthetic.

                Nonsense. Evocation is as much a part of communication as the black and white text, regardless of the fact that it is essentially non-verbal. Otherwise nobody would bother to paint paintings or write poetry.

                Of course, if you have never received a letter any more personal than a final demand from your bank manager, I wouldn't expect you to understand. But you have to agree that a poke from a facebook "friend" can never
                • by ClintJCL (264898)
                  First off, saying a message is a message regardless of the medium does not in any way, shape, or form, imply that no one would paint or write a poem. I'm not sure how you got from point a to point b there.

                  Second off, nobody on Facebook pokes! I've heard of it happening, but for the most part, it's a strawman for people like you to attack. I have 450 friends and have been on for about 4 yrs. A few cute girls have been poked by a few guys who weren't their friend. That's it. Nobody I've ever spoken to has b

                  • First off, saying a message is a message regardless of the medium does not in any way, shape, or form, imply that no one would paint or write a poem. I'm not sure how you got from point a to point b there.

                    A clue from my post: Evocation is as much a part of communication as the black and white text.

                    Also:
                    nobody on Facebook pokes! I've heard of it happening, but for the most part, it's a strawman for people like you to attack.

                    They do indeed poke. I know many who (sadly) do so all the time. (I dont, b
                    • by ClintJCL (264898)
                      Because they don't. The average person doesn't tell anyone when they change their email address. The average person is disorganized and does not follow due diligence.
          • It's not even so scary to remove somebody from your friends list. It doesn't even tell them. The only way they'd find out is if they:

            1. were actually paying attention to you

            2. noticed there weren't any posts from you for a while and

            3. cared enough to go to your page and noticed the "add as friend" button is back.

            Given that there's probably 600 other people on their list, step 1 is a stretch. If they don't even like you and only added you because they remember your name, step 2 and 3 are a stretch.

        • Re: (Score:3, Insightful)

          by Bakkster (1529253)

          PEBKAC

        • As a new user you aren't going to press ignore, so you confirm everyone.

          Wait, who's the idiot again?

          I only have a couple hundred friends on FB but they're all people I know and like.

          Frankly, my friends with 800+ friends - I could never manage that many status updates.

    • by Fnkmaster (89084) on Monday May 24, 2010 @07:40AM (#32322016)

      Just to give you a word of support - ignore the people saying it's your fault for who you accepted as a friend. The problem is that it's easy to say "yes, this person is my friend", even if they are somebody marginal who you never particularly cared for (it's easy to click "Ignore" for evil ex-girlfriends and the real assholes from high school). But it's very hard to rethink that and unfriend them in such a public forum later on, and have to deal with awkward questions about why you unfriended so-and-so. However, that is what Facebook made the "hide this person's updates" feature for - when somebody isn't egregiously awful enough to unfriend, but you just don't want to see their bullshit updates anymore.

      In any case, I didn't actually delete my Facebook account, but I have cleared out any information but the absolute basics. And I began an experiment by avoiding logging into Facebook for a week. I found that I rapidly reverted to visiting other websites and finding other things online to fill my down time at work.

      I believe the reason Facebook is so addictive is the feed mechanism. It fills our psychological need for gossip and trivial sorts of information about friends. However, like many addictive things, I think too much of a "good" thing (and by good thing, I mean it's fun, enjoyable, makes us feel connected) is no longer a good thing. While I want to know when old friends go back to grad school, get engaged, married, or have their first kids, I don't really want to hear somebody's snarky comments about their workplace, read about their lost cell phone, hear about how they just bought an iPad and it's changed their lives, or read about their drunken escapades.

      So the point - I agree with you, and I think we are both going to be happier, with cleaner, fresher, less cluttered minds for turning our backs on this inane distracting chatter. Saying "I'm Facebook friends with them" has become synonymous with "they are somebody I know but don't really give enough of a shit about to keep up with in real life".

      • Saying "I'm Facebook friends with them" has become synonymous with "they are somebody I know but don't really give enough of a shit about to keep up with in real life".

        Well said. Couldn't have put it better myself. Wouldn't go down well with Facebook addicts though, but there's nothing we can do about that.
    • by 228e2 (934443)
      You deleted your facebook account a week ago in hopes that a startup social network that isnt slated to go live until Sept 2010 would alleviate your facebook problems?
  • Patched already (Score:4, Informative)

    by wannabgeek (323414) on Monday May 24, 2010 @05:50AM (#32321500) Journal

    The CSRF bug page in the summary says that facebook confirmed that it's patched already. And the actual hacker's page [prominentsecurity.com] says that he found if he does a little more (delete a few more parameters as well as the "post_form_id"), the CSRF resurfaces.

    Anyway, he posted an update saying fb patched this one now (22 May)..

  • by bl8n8r (649187) on Monday May 24, 2010 @05:52AM (#32321508)

    The article seems to be directed at facebook, but it sounds to me like there needs to be a browser or OS exploit first in order to work: "combine an exploit for this bug with spam or even a self-copying worm code". I'm not a facebook user (get off my lawn), but a lot of XSS flaws are browser specific and if there is a general browser exploit going on, this could affect more websites than facebook. TFA just sounds a little misdirected to me.

    • As long as an Article is properly written, I don't mind if one lead case example of a flaw is used to get people's notice. "Flaw allows people to delete Facebook friends" will wake up more people than "missing parameter bug found in certain browsers".

      I'm right on that borderline of a modestly aware of these issues, so when one surfaces that's "important to the masses" I like having a tagline in my mind to explain it with. I admit I ignore a lot of Linux kernel reports etc. My attitude to Linux is "it sorta

    • RTFA - It is not XSS. It is XSRF. And it is not browser specific since cross-posting to a different URL is inherent property of forms and hyperlinks. Websites have to do something proactive to prevent XSRF like setting a hidden field in the request that serves the form and validating the field when it receives the post data. Facebook had the required code, but was allowing the post to succeed when the field was completely omitted.

    • Re: (Score:2, Insightful)

      by tokul (682258)

      lot of XSS flaws are browser specific and if there is a general browser exploit going on, this could affect more websites than facebook

      It is not XSS, but CSRF. Cross-site request forgery. Such exploits are designed to exploid the way site processes user inputs. If site uses custom forms or request fields, exploit will work only on this site and in most of the cases it is not specific to some browser.

  • It's hard to tell if your friends have been affected by this 'bug'. If someone unfriends you then you might never know, yet when you add a new one it's all over everyone else's page
    • by ClintJCL (264898)
      That's so people can delete people without being overcome by guilt. MySpace was exactly the same. Pretty much every site is. But there's a Greasemonkey script you can use, Facebook Friend Checker, if you want to know about such things.
      • by nedlohs (1335013)

        You only feel guilt when someone knows you did something wrong*, not just when you do something wrong*?

        I hope "don't want to make other people feel bad" would be a better description.

        * Not that unfriending someone on a website is "wrong" in the first place, but that's already being implied by using the word "guilt".

  • ... delete an account from facebook!
  • by wilder_card (774631) on Monday May 24, 2010 @07:09AM (#32321812)
    Hackers have friends???
  • Bug condition: (Score:2, Interesting)

    After the bug deletes all your friends... Tom is added.

    He was feeling all left out when everyone left myspace.

  • Now that's is what I call a Friend with Benefit.

  • by ClintJCL (264898)
    Uh... I didn't use my real name. And I ignore people I want to ignore. And I can filter statuses on keywords.

    You need to grow a pair and learn to properly use systems. Facebook is bigger than ever, and it certainly isn't dying. And if you're seeing ads, I question why you don't take the 1 minute to install AdBlock, but take 1 minute to complain about ads on facebook. You're just a whiny baby as AFAIK.

  • by Yvan256 (722131) on Monday May 24, 2010 @07:58AM (#32322154) Homepage Journal

    May we suggest the name "KipDrordy" for the bug?

  • Somewhat OT, but yesterday I took a look at FB and was redirected to this myspace page. Not myspace.com, but someone's actual page. This was around noon yesterday and lasted a couple hours. Oddly, this page is not in my firefox history, but instead shows up as myspace.com. I live in Chicago & have ATT DSL. Any clues???
    • by Ash-Fox (726320)

      I live in Chicago & have ATT DSL. Any clues???

      Your first clue is: An orange ball.

  • No Mother-in-law (Score:4, Insightful)

    by ubrgeek (679399) on Monday May 24, 2010 @08:50AM (#32322618)
    I didn't delete you as a friend. And now the system won't let me add you back. Damn those evil, evil hackers!
  • Wake me up when a FB exploit is discovered that actually removes all the data I ever put into their site, and genuinely deletes my account.
  • Do I care? Not really....

  • So that's why my ex girlfriend deleted me off her page. Umm... yeah that has to be it.
  • ... You have 0 Friends.

1 Mole = 007 Secret Agents

Working...