Yet another exploit on social media giant Facebook has been exposed and - although it has been rectified - the white hat hacker has a few other vulnerabilities that will be disclosed once they are patched by the Facebook security team.
Facebook is the world's largest social network, with more than a billion users, and more than six million of these are from SA, according to aggregated data from Blue Magnet.
The latest vulnerability follows one the company fixed last month after a bug in Facebook's system led to the accidental exposure of six million of its users' phone numbers and e-mail addresses to people with some or little information about them.
The information leaks, which began in 2012, resulted in Facebook users who downloaded contact data for their list of friends, obtaining additional information they were not supposed to have. Although the latest vulnerability was written about last month, it has received little attention and Facebook does not seem to have posted anything about the flaw.
Open door
Dan Melamed, security researcher, writes there was a "critical vulnerability" in Facebook that allowed hackers to easily take complete control over any Facebook account. "If the victim is logged into Facebook, all a hacker has to do is get the victim to visit a Web site link. Once the link has loaded, the attacker is able to reset the victim's password."
Melamed says the vulnerability was in the "claim e-mail address" component of Facebook. He tells ITWeb the number of people who were affected is "theoretically everyone" who has a Facebook account.
"Technically, anyone who clicks a link or views a malicious Web page can fall victim to this exploit. So the only limit is the amount of victims that hackers want to target."
Dodgy link
Melamed explains that another e-mail could be added to the target's Facebook account by exploiting the vulnerability, allowing the hacker to reset the Facebook password through the added e-mail.
If users try to add an e-mail address to an account, as long as that address already exists in Facebook's system, they have the option to claim it, says Melamed. However, Facebook did not check who this request came from, which allowed any e-mail to be claimed on any Facebook account, he says.
Detailing how the exploit was done, Melamed writes two Facebook accounts are required, an account to initiate the claim process, and one with the account to which the e-mail address to be acquired is added.
For example, when making a claim request for a @hotmail.com e-mail, people are redirected to a link that contains a parameter appdata[fbid], which was the encrypted e-mail address, writes Melamed. The 'claimer' is then sent to the sign-in page for Hotmail, where one signs in, and then is taken to a final link, he notes.
Viewing the source code will show the claim e-mail process has succeeded, giving hackers about three hours before the link expires, writes Melamed. The link can also be visited from any Facebook account because there is no check to see who made this request, he adds.
All a hacker has to do is insert the link on a Web page as either an image or an iframe, and the victim is sent a link, which - once clicked - adds the e-mail to their Facebook account, without notification, which allows the hacker to reset their Facebook password, says Melamed.
This vulnerability has been confirmed to be patched by the Facebook security team, says Melamed.
Be careful
Mike Sharman, owner of digital communications agency Retroviral, says this latest exploit is worrying and Facebook seems to be glossing over vulnerabilities. He says while the company claims to value security and privacy, more and more of these incidents are cropping up.
Facebook has said: "Your trust is the most important asset we have, and we are committed to improving our safety procedures and keeping your information safe and secure."
Sharman adds users need to be smarter about what they are putting online and take more responsibility as people are publishing their entire lives. Although social media companies have a responsibility, users need to be responsible for what they publish. "It's a bit of a worrying trend at the moment."
However, Sharman does not see the increasing news of exploits harming Facebook's user base through a drastic decline. He notes the company will reach a user sign up ceiling at some point.
In the first quarter of the year, Facebook reported daily active users on average at 665 million, a 26% year-on-year gain, while monthly active users were 1.11 billion at the end of March, a 23% gain over the year. Mobile monthly active users grew 54% year-on-year to 751 million.
Share