Facebook Bug Lets Hackers Delete Friends

swandives writes "There's lot of talk about Facebook and privacy at the moment, but a bug in Facebook's website lets hackers delete Facebook friends without permission. Steven Abbagnaro, a student from Marist College in Poughkeepsie, New York, reported the flaw, writing proof-of-concept code that scrapes publicly available data from users' Facebook pages and deletes all of their friends, one by one. The victim first has to click on a malicious link while logged into Facebook. Abbagnaro's code exploits the same underlying flaw that was first reported by Alert Logic security analyst M.J. Keith who discovered a cross-site request forgery bug, where the website doesn't properly check code sent by users' browsers to ensure that they were authorized to make changes on the site."

a self-copying worm code

[bl8n8r]

The article seems to be directed at facebook, but it sounds to me like there needs to be a browser or OS exploit first in order to work: "combine an exploit for this bug with spam or even a self-copying worm code". I'm not a facebook user (get off my lawn), but a lot of XSS flaws are browser specific and if there is a general browser exploit going on, this could affect more websites than facebook. TFA just sounds a little misdirected to me.