Facebook Bug Lets Hackers Delete Friends

← Back to Stories (view on slashdot.org)

Facebook Bug Lets Hackers Delete Friends

Posted by timothy on Sunday May 23, 2010 @10:33PM from the friends-don't-let-friends dept.

swandives writes "There's lot of talk about Facebook and privacy at the moment, but a bug in Facebook's website lets hackers delete Facebook friends without permission. Steven Abbagnaro, a student from Marist College in Poughkeepsie, New York, reported the flaw, writing proof-of-concept code that scrapes publicly available data from users' Facebook pages and deletes all of their friends, one by one. The victim first has to click on a malicious link while logged into Facebook. Abbagnaro's code exploits the same underlying flaw that was first reported by Alert Logic security analyst M.J. Keith who discovered a cross-site request forgery bug, where the website doesn't properly check code sent by users' browsers to ensure that they were authorized to make changes on the site."

12 of 89 comments (clear)

Min score:

Reason:

Sort:

GOOD I'VE GOT A FEW FRIENDS I DON'T NEED ANYMORE by Anonymous Coward · 2010-05-23 22:36 · Score: 2, Funny

How soon can I get them out of the picture, if you know what I mean.
This is not a bug by Anonymous Coward · 2010-05-23 22:37 · Score: 5, Funny

"It's a feature."
Re:GOOD I'VE GOT A FEW FRIENDS I DON'T NEED ANYMOR by MichaelSmith · 2010-05-23 22:37 · Score: 3, Funny

Thats one hell of a bug. I didn't know you could do that much damage with php.

--
http://michaelsmith.id.au
Raising false hopes by Thanshin · 2010-05-23 22:38 · Score: 5, Funny

In case you didn't RTFA, you can only delete the link between your facebook accounts, not the friends themselves.
And so dies our intricate plan to befriend our enemies and erase them from existance.
1. Re:Raising false hopes by Thanshin · 2010-05-23 22:52 · Score: 5, Funny
  
  They're a bunch of spoil sports:
  5/11/2010 - Facebook notified of vulnerability
  5/13/2010 - Work begins with Facebook to patch flaw.
  5/14/2010 - Facebook confirms flaw is patched.
  5/24/2010 - Post on slashdot.
  5/28/2010 - Dupe post on Slashdot.
  6/15/2010 - Trupe post on Slashdot.
  6/15/2010 - AskSlashdot question about whether dupe+1 = trupe or redupe. Links to original post.
  6/15/2010 - Slashdot is slashdotted, creating a singular paradox.
  5/24/2010 - The end of the world as we know it.
2. Re:Raising false hopes by Zebaulon · 2010-05-24 01:58 · Score: 2, Funny
  
  5/28/2010 - Dupe post on Slashdot.
  6/15/2010 - Trupe post on Slashdot.
  6/15/2010 - AskSlashdot question about whether dupe+1 = trupe or redupe. Links to original post.
  6/15/2010 - Slashdot is slashdotted, creating a singular paradox.
  5/24/2010 - The end of the world as we know it.
  And I feel fine.
So THAT'S Why I Don't Have Any Friends on Facebook by Anonymous Coward · 2010-05-23 22:41 · Score: 3, Funny

It was ... the hackers ... yes, that's it, it was the hackers that must have made everyone defriend me.
Re:GOOD I'VE GOT A FEW FRIENDS I DON'T NEED ANYMOR by Thanshin · 2010-05-23 22:48 · Score: 4, Funny

How soon can I get them out of the picture, if you know what I mean.
Sorry but I don't think the hack goes as far as photoshopping your pictures to erase your friends from them.
Hey, wait a minute... by wilder_card · 2010-05-24 00:09 · Score: 3, Funny

Hackers have friends???
Can we name the bug? by Yvan256 · 2010-05-24 00:58 · Score: 2, Funny

May we suggest the name "KipDrordy" for the bug?
Re:Social networking sucks by StuartHankins · 2010-05-24 01:39 · Score: 4, Funny

They were going to give him a wedgie if he didn't add them.
Re:GOOD I'VE GOT A FEW FRIENDS I DON'T NEED ANYMOR by zalas · 2010-05-24 04:41 · Score: 2, Funny

I wonder how long before someone writes an app that connects Facebook friend deletion events with Photoshop's Content-aware Fill feature... They could name the app "Stalin".