Indiana Students Uncover Fresh Security Flaw Within Facebook

Two researchers at Indiana, US located Indiana University have claimed that there's a security flaw inside Facebook which attackers could exploit for gaining access to other people's data. EWeek.com reported this on February 2, 2011.

Named Zhou Li and Rui Wang, the two researchers reportedly informed Sophos the security company regarding the vulnerability, while claiming that the flaw could let any website masquerade as some other site from where it was legitimate for gaining entry into users' information like name, birth-date and gender.

That means that in case an end-user is on any website like news or gaming site, or YouTube, which was allowed to access his Facebook profile, then chances are that some malevolent website would manage to access the confidential details of that user.

Thus one was in danger in case he was to go to a malevolent site whilst having Facebook open on his screen. Actually, the vulnerability happened because of an issue inside an authentication system of Facebook.

Senior Technology Consultant Graham Cluley at Sophos, after himself testing the flaw using an experimental website he created, stated that at first he couldn't mirror the contents of a video he'd seen that Li and Wang had provided. V3.co.uk published this on February 3, 2011.

The incapability, according to Cluley, was because of his Facebook account to which he applied harsh settings that hinted that there was sufficient protection the social-networking website was offering to the vulnerability.

Ultimately the expert managed for imitating the exact requirements of the account as also observe the web-page get contaminated.

Cluley said that the page was subsequently capable of extracting his e-mail id and name as well as post a malicious web-link apparently through the application.

Thereafter he drew the conclusion that as a result of the security hole, malicious software could proliferate among users.

Meanwhile, the students luckily notified just Cluley and Facebook, which prevented the exploitation of the flaw on an otherwise wide scale. Facebook responded immediately and a patch has been developed for the vulnerability. However, the event reiterates that ever-changing and mammoth-sized websites like Facebook cannot ever be wholly vulnerability-free.

Related article: Indian Financial Industry Facing Rising Online Fraud

» SPAMfighter News - 2/11/2011