Nir Goldshlager, a security hacker, has found a problem in Facebook that enables developers to breach into any account on the social networking site via app permissions. However, Goldshlager did not take advantage of the situation and informed Facebook about the flaw because he is a professional web application security hacker, who has specialised in finding these sorts of flaws. Facebook has praised his efforts highly and fixed the issue with their system. However, this was not the only flaw that Goldshlager has noticed.
Here are the exact words of Goldshlager from his blog post, where he detailed this issue, “I found a couple more OAuth flaws in Facebook, just waiting for a fix to post about it.”
Goldshlager wrote in his blog post that he has found some more app authorization flaws in Facebook’s system that also needed to be addressed by the social site. According to him, app permissions basically allow developers to access user information which they require to run applications. And developers gain this access once the user installs their app.
However, Facebook did not comment on the latest flaws Goldshlager has discovered in their system, but the company did say that the first bug this web application security specialist has found was not exploited by actual developers of Facebook. The social networking site also did not mention when Goldshlager contacted them to report the first bug.
In an e-mail to CNET, a Facebook representative wrote that, “We applaud the security researcher who brought this issue to our attention and for responsibly reporting the bug to our White Hat Program. We worked with the team to make sure we understood the full scope of the vulnerability, which allowed us to fix it without any evidence that this bug was exploited in the wild. Due to the responsible reporting of this issue to Facebook, we have no evidence that users were impacted by this bug. We have provided a bounty to the researcher to thank them for their contribution to Facebook Security.”
According to Cnet, “The bug Goldschlager found allowed him to steal access tokens and gain full access to a profile as a developer. This included messages, pages management, ad management, private photos, and videos. This applied to profiles that didn’t install extra apps because he could go through Facebook’s built-in apps, like messenger, as well. The tokens for third-party apps didn’t expire unless the victim changed his or her password, but the messenger app tokens for Facebook messenger never expired, he wrote.”
Source: Cnet
Photo: PakistanToday
Microsoft Says Hackers Have Infected Some of its Computers, no Customer Information Compromised
Patents Filed by Apple May Describe Details of Much-Rumoured iWatch
Lunches So Good Kids Can’t Ignore Them
Invigorating Ginger Smoothie
The U.K.’s Youngest Parents Ever
The new hair Jennifer Lawrence