Facebook Hacker Reveals His Method
Hackers have been exploiting the endless holes in the security nightmare that is Java, terrorizing Web and social giants –– Google, Facebook, Tumblr, Twitter, Pinterest –– over the past few weeks.
Meanwhile, another hacker called Nir Goldshlager found further proof of the accidental back doors that lead into the digital worlds so many of us trust with so much of our lives. And it doesn't even involve Java, Oracle's inexplicably popular stinking mess of a platform.
On Friday, Feb. 22 Goldshlager posted a guide on his blog to the procedure he used to discover and exploit “one of my favorite flaws” in Facebook’s application system.
The flaw was discovered in the way Facebook's security protocol, called OAuth, uses, reads and interprets the Web addresses that guide the site's many capabilities.
When someone creates a Facebook app, such as Facebook’s own Messages or Pages apps, that app is assigned an ID number that is used to track the app and relevant information.
Each ID number is tied to one website that it is allowed to redirect to. An app trying to redirect to any other website will result in an error. This is an example of Facebook’s security doing what it is supposed to.
But Goldshlager found out he could send messages through other parts of Facebook’s own Web addresses, instead of the one website that an app ID is tied to.
Then he used this transfer within Facebook to point at another app that would forward people to a website he had set up, which would take the user –– as well as all their information and permission to do anything to their profile –– and store them in a file on his website.
But this process would have still stopped at the permission page, which would have alerted the user that an app was asking for permission to do anything –– read or send messages, update status, friend/unfriend people –– which would tip the victims off.
Goldshlager figured out that, if he pretended to be an official Facebook app, like Messages, that Facebook would trust the request and not ask for permission, giving the hacker free access to whatever they wanted to do.
Now, Goldshlager being a nice guy and all (a white hat hacker, as such security types are called) didn’t tell anyone about it until after Facebook had fixed the problem, to make sure no one else could do it.
He ends the blog post by saying there is definitely more where that came from, but he will continue waiting to share until no one can be harmed by his doing so.
Can't you just wait to see how vulnerable we are right now?
Facebook Could Be Growing Too Fast, Saverin Says
Co-founder claims rapid growth may be the company's biggest risk.
Java Exploits Used In Zero-Day Attacks Now Patched
Adobe and Oracle issued critical updated to fix security holed in the Java software.
Facebook Java Hack Raises User Ire And Awareness
The brand new Java exploit behind last month's Facebook hack has customers suspicious.
Cyber War: White House Considers Military Action Against Hackers
The White House has, for the first time, announced specific methods to retaliate against foreign and domestic hackers.
MORE IN ITECHPOST
Fujifilm Continues Research on Avigan as COVID-19 Drug into June: Japanese Prime Minister Shinzo Abe Optimistic
The film company Fujifilm continues its research into June as the Japanese Prime Minister would approve the upcoming drug as a COVID-19 treatment.
SpaceX, NASA's Historic Astronaut Launch in the US Threatened by Disruptive Weather Delay
SpaceX, NASA prepares to send the first Astronaut-manned launch into space from the US in nearly 10 years. Will the weather cooperate with their launch this Wednesday?
4 Phantasy Star Online 2 Beginner Tips You Should Know Before PC Download
Phantasy Star Online 2 is almost releasing on PC! Here are a few things to know about the game to turn you from a beginner to a pro.