back to article Facebook summarily denies undeniable user-menacing security hole

Facebook's hip new application platform contains a gaping hole that allows attackers to run malicious javascript on unsuspecting users' machines, a developer has demonstrated. Proof of concept code examined by El Reg shows how the platform can be used to steal Facebook user's session identification cookies, deliver pop-up …

COMMENTS

This topic is closed for new posts.
  1. Jodo Kast
    Alert

    I thought so...

    After checking around, this seems accurate.

  2. Christopher Jerome
    Pirate

    I knew it!

    That bitchy queen Zukerberg, needs to sit down, and fix his code! the whole thing is a MESS!

  3. Anonymous Coward
    Thumb Down

    Go Go Gadget exploit hole!

    This is why you don't use the addons on places like that unless you can 'trust' them. Do you really need those 8 versions of "How hot am I" "Rate your freinds" "Add this application or a puppy dies"?

    I'd say treat the applications you put on there as you'd treat giving out contact details, but we all know how well that usually goes.

    One nice little hole that I've wondered about is the fact that the applications gain access to your information when you add them, a nice box saying:

    "Know who I am and access my information"

    Unticking this gives you:

    "Granting access to information is required to add applications. If you are not willing to grant access to your information, do not add this application."

    Why is the option there then?

    http://developers.facebook.com/user_terms.php - Platform Application Terms of Use . I love section 2b. A Data Miner's wet Dream?

  4. Anonymous Coward
    Paris Hilton

    Say it ain't so...

    Bitch?

    I chose Paris because she'd say "That's not hot, bitch!"

  5. Chris Ellis
    Thumb Down

    What do you expect.

    Its written in PHP and MySQL, hardly known for secure applications or scalability. Its a power keg waiting for crap developers.

  6. Herby
    Joke

    And sane people...

    ...use FaceBook??

    Why bother! It is probably much easier to stand on a street corner (or Hyde Park) and shout "LOOK AT ME".

  7. yeah, right.

    heh

    "Security by obscurity" has now become "security by assertion". Facebook has asserted that the hole doesn't exist, therefore, it doesn't.

    One wonders if they're even working on a fix, or if they're still so far up their own arse that they think Facebook is relevant.

  8. Tuomo Stauffer
    Pirate

    More - and sane people...

    Right and besides Hyde Park is a lovely park, one of my favorite places in April but unfortunately not able to visit it often, FaceBook - no flowers, no spring rain, definitely no entertaining and funny people, no pub's near, .. Yes, if I have something to say, I will go to Hyde Park. Try it, you will love it! Next time I'm in London, hopefully in April, see you there and not in Internet. Besides, it's totally safe except of course from some, very good British humor, the comments are way better than what you see in Internet!

  9. Anonymous Coward
    Boffin

    @Chris Ellis

    "Its written in PHP and MySQL, hardly known for secure applications or scalability"

    I disagree... PHP and MySQL can be perfectly secure and scalable; it just depends on the talents of the programmer. I've seen loads of times when someone has used a module or application from a third party without properly checking it and thus exposing gaping security holes...

    I'm not saying that what I write is perfect, but a company I used to work for thought that putting the admin pages in /admin/ without any password checking was OK ("it's not linked-to so no-one will know it's there")... they worked in ASP.

    What you're saying is akin to "this book is rubbish because it was written on a mac"... it may be true that it was written on a mac, but it's the (lack of) talent of the author that you should be criticising!

  10. Stuart Harrison

    @ Herby

    I think that comment relates more to MySpace, not Facebook...

  11. Anonymous Coward
    Flame

    RE:What do you expect

    "Its written in PHP and MySQL, hardly known for secure applications or scalability. Its a power keg waiting for crap developers."

    Yeah, because ASP applications are 100% secure...

  12. Chris Harden

    ...and sane people

    But.....it's more obvious if you just wander out of the office during working hours to randomly go visit Hyde Park during a compile.....

    ...I really should try that though:

    "Where are you??"

    "Hyde Park"

    "Why? Your supposed to be working?"

    "My...code is compiling?"

  13. Bronek Kozicki
    Coat

    almost forgot

    I assert that this coat is mine.

  14. Benny
    Thumb Down

    @ What do you expect

    Riiiiiight, because there arent crap developers in other languages/DB's..

  15. Bronek Kozicki
    Coat

    @yeah, right

    "security by assertion" is a long standing tradition of clueless coders, who write 95% of software out there. I was tempted to cite an example from Microsoft's own MFC library (probably the most popular library ever used by Windows programmers), but resisted. There are just too many assertions that make no sense.

  16. Anonymous Coward
    Anonymous Coward

    After reading this...

    ... I'm glad that I don't allow FB apps on my profile. It looks boring as f, but at least security issues are not a problem. Really. Honest.

    And of course my email to FB pointing to this article and telling them to get their finger out of their backsides and do something about it instead of disclaiming it.

    :-)

  17. Jamie Kitson

    Fixed?

    Visiting that page I get:

    The bug is fixed :)

  18. Bruno de Florence

    Good

    Well, if this vulnerability allows allows for profiles to be deleted, I am all for it. I had a FB account for a few weeks, thought it was utterly useless, and tried to close it down. I found out that you could only make it "dormant", as opposed to be able to dlelete the whole thing. So I hope someone will inject the malicious code into my "dormant" profile.

    As for PHP & MySQL, if it's good enough for EL REG to run WordPress, then it's good enough for me :-)

  19. Colin Millar
    Boffin

    Re PSP mySQL ASP comments

    Far too high level: try a bit lower

    Failure to parse for script is on a par with not handling

    OR '' = ''

This topic is closed for new posts.

Other stories you might like