Facebook Bug Lets Hackers Delete Friends

swandives writes "There's lot of talk about Facebook and privacy at the moment, but a bug in Facebook's website lets hackers delete Facebook friends without permission. Steven Abbagnaro, a student from Marist College in Poughkeepsie, New York, reported the flaw, writing proof-of-concept code that scrapes publicly available data from users' Facebook pages and deletes all of their friends, one by one. The victim first has to click on a malicious link while logged into Facebook. Abbagnaro's code exploits the same underlying flaw that was first reported by Alert Logic security analyst M.J. Keith who discovered a cross-site request forgery bug, where the website doesn't properly check code sent by users' browsers to ensure that they were authorized to make changes on the site."

Re:Raising false hopes

[MichaelSmith]

They're a bunch of spoil sports:

5/11/2010 – Facebook notified of vulnerability
5/13/2010 – Work begins with Facebook to patch flaw.
5/14/2010 – Facebook confirms flaw is patched.

5/24/2010 – Post on slashdot.

Re:Raising false hopes

[buchner.johannes]

You can send them a link to http://www.quitfacebookday.com/

Patched already

[wannabgeek]

The CSRF bug page in the summary says that facebook confirmed that it's patched already. And the actual hacker's page says that he found if he does a little more (delete a few more parameters as well as the "post_form_id"), the CSRF resurfaces.

Anyway, he posted an update saying fb patched this one now (22 May)..

Re:GOOD I'VE GOT A FEW FRIENDS I DON'T NEED ANYMOR

It's not PHP's fudemental flaw that deletes your facebook friends, it's the programmer's bad authentification design.