Slashdot Mirror

← Back to Stories (view on slashdot.org)

Facebook Bug Lets Hackers Delete Friends

Posted by timothy on from the friends-don't-let-friends dept.

swandives writes "There's lot of talk about Facebook and privacy at the moment, but a bug in Facebook's website lets hackers delete Facebook friends without permission. Steven Abbagnaro, a student from Marist College in Poughkeepsie, New York, reported the flaw, writing proof-of-concept code that scrapes publicly available data from users' Facebook pages and deletes all of their friends, one by one. The victim first has to click on a malicious link while logged into Facebook. Abbagnaro's code exploits the same underlying flaw that was first reported by Alert Logic security analyst M.J. Keith who discovered a cross-site request forgery bug, where the website doesn't properly check code sent by users' browsers to ensure that they were authorized to make changes on the site."

1 of 89 comments (clear)

  1. Re:Raising false hopes by MichaelSmith · · Score: 5, Informative

    They're a bunch of spoil sports:

    5/11/2010 – Facebook notified of vulnerability
    5/13/2010 – Work begins with Facebook to patch flaw.
    5/14/2010 – Facebook confirms flaw is patched.

    5/24/2010 – Post on slashdot.

    --
    http://michaelsmith.id.au