Facebook Bug Lets Hackers Delete Friends

← Back to Stories (view on slashdot.org)

Facebook Bug Lets Hackers Delete Friends

Posted by timothy on Sunday May 23, 2010 @10:33PM from the friends-don't-let-friends dept.

swandives writes "There's lot of talk about Facebook and privacy at the moment, but a bug in Facebook's website lets hackers delete Facebook friends without permission. Steven Abbagnaro, a student from Marist College in Poughkeepsie, New York, reported the flaw, writing proof-of-concept code that scrapes publicly available data from users' Facebook pages and deletes all of their friends, one by one. The victim first has to click on a malicious link while logged into Facebook. Abbagnaro's code exploits the same underlying flaw that was first reported by Alert Logic security analyst M.J. Keith who discovered a cross-site request forgery bug, where the website doesn't properly check code sent by users' browsers to ensure that they were authorized to make changes on the site."

28 of 89 comments (clear)

Min score:

Reason:

Sort:

GOOD I'VE GOT A FEW FRIENDS I DON'T NEED ANYMORE by Anonymous Coward · 2010-05-23 22:36 · Score: 2, Funny

How soon can I get them out of the picture, if you know what I mean.
This is not a bug by Anonymous Coward · 2010-05-23 22:37 · Score: 5, Funny

"It's a feature."
1. Re:This is not a bug by tuomoks · 2010-05-24 00:49 · Score: 2, Insightful
  
  Everything today is "a feature". Real tired to hear these "problems" - not really problems but laziness, ignorance, whatever by developers / designers! Yes, the base, the standards, the tools, and so on are flawed but nothing says the systems have to be coded that way, allowing all the security and other problems. I have tried a long time to defend the developers - it wasn't their problem that that their tools, toys, systems, etc were bad but after so long - anyone anymore creating systems with these flaws is to blame!
  This is really getting out of hand - why would anyone build systems which allow these problems, cross-site without checking, whatever - on purpose? Sorry, after 30+ years designing / creating safe systems for global mission critical operations, public safety, etc - I just can't understand!! Yes - sometimes it means fighting the management and even customer but why would anyone do it - every time it comes back haunting you, badly! What has happened to separation of presentation, processing, authentication, authorization, etc?? The basic rules in safe computing! Or did your vendor licensing book forget to tell you about the bad and ugly world outside the door? If so - why not start thinking yourself?
Re:GOOD I'VE GOT A FEW FRIENDS I DON'T NEED ANYMOR by MichaelSmith · 2010-05-23 22:37 · Score: 3, Funny

Thats one hell of a bug. I didn't know you could do that much damage with php.

--
http://michaelsmith.id.au
Raising false hopes by Thanshin · 2010-05-23 22:38 · Score: 5, Funny

In case you didn't RTFA, you can only delete the link between your facebook accounts, not the friends themselves.
And so dies our intricate plan to befriend our enemies and erase them from existance.
1. Re:Raising false hopes by MichaelSmith · 2010-05-23 22:42 · Score: 5, Informative
  
  They're a bunch of spoil sports:
  
  5/11/2010 – Facebook notified of vulnerability
  5/13/2010 – Work begins with Facebook to patch flaw.
  5/14/2010 – Facebook confirms flaw is patched.
  5/24/2010 – Post on slashdot.
  
  --
  http://michaelsmith.id.au
2. Re:Raising false hopes by Thanshin · 2010-05-23 22:52 · Score: 5, Funny
  
  They're a bunch of spoil sports:
  5/11/2010 - Facebook notified of vulnerability
  5/13/2010 - Work begins with Facebook to patch flaw.
  5/14/2010 - Facebook confirms flaw is patched.
  5/24/2010 - Post on slashdot.
  5/28/2010 - Dupe post on Slashdot.
  6/15/2010 - Trupe post on Slashdot.
  6/15/2010 - AskSlashdot question about whether dupe+1 = trupe or redupe. Links to original post.
  6/15/2010 - Slashdot is slashdotted, creating a singular paradox.
  5/24/2010 - The end of the world as we know it.
3. Re:Raising false hopes by Zebaulon · 2010-05-24 01:58 · Score: 2, Funny
  
  5/28/2010 - Dupe post on Slashdot.
  6/15/2010 - Trupe post on Slashdot.
  6/15/2010 - AskSlashdot question about whether dupe+1 = trupe or redupe. Links to original post.
  6/15/2010 - Slashdot is slashdotted, creating a singular paradox.
  5/24/2010 - The end of the world as we know it.
  And I feel fine.
So THAT'S Why I Don't Have Any Friends on Facebook by Anonymous Coward · 2010-05-23 22:41 · Score: 3, Funny

It was ... the hackers ... yes, that's it, it was the hackers that must have made everyone defriend me.
Social networking sucks by asherlev · 2010-05-23 22:44 · Score: 5, Insightful

I deleted my Facebook account a week or so ago, and I was, at the time, hoping that diaspora would end up being something besides vaporware. After a week without it, though, I find myself pleased with my lack of knowledge about what people I didn't like in high school had for dinner.
1. Re:Social networking sucks by AmonTheMetalhead · 2010-05-23 23:05 · Score: 3, Insightful
  
  Why did you befriend them if you don't like them?
2. Re:Social networking sucks by ClioCJS · 2010-05-24 00:03 · Score: 3, Insightful
  
  Blaming facebook for your friend choices. Classy.
  
  --
  -Clio
  Karma: Bad (mostly from not giving a fuck)
  Blog: http://clintjcl.wordpress.com
3. Re:Social networking sucks by Fnkmaster · 2010-05-24 00:40 · Score: 4, Insightful
  
  Just to give you a word of support - ignore the people saying it's your fault for who you accepted as a friend. The problem is that it's easy to say "yes, this person is my friend", even if they are somebody marginal who you never particularly cared for (it's easy to click "Ignore" for evil ex-girlfriends and the real assholes from high school). But it's very hard to rethink that and unfriend them in such a public forum later on, and have to deal with awkward questions about why you unfriended so-and-so. However, that is what Facebook made the "hide this person's updates" feature for - when somebody isn't egregiously awful enough to unfriend, but you just don't want to see their bullshit updates anymore.
  In any case, I didn't actually delete my Facebook account, but I have cleared out any information but the absolute basics. And I began an experiment by avoiding logging into Facebook for a week. I found that I rapidly reverted to visiting other websites and finding other things online to fill my down time at work.
  I believe the reason Facebook is so addictive is the feed mechanism. It fills our psychological need for gossip and trivial sorts of information about friends. However, like many addictive things, I think too much of a "good" thing (and by good thing, I mean it's fun, enjoyable, makes us feel connected) is no longer a good thing. While I want to know when old friends go back to grad school, get engaged, married, or have their first kids, I don't really want to hear somebody's snarky comments about their workplace, read about their lost cell phone, hear about how they just bought an iPad and it's changed their lives, or read about their drunken escapades.
  So the point - I agree with you, and I think we are both going to be happier, with cleaner, fresher, less cluttered minds for turning our backs on this inane distracting chatter. Saying "I'm Facebook friends with them" has become synonymous with "they are somebody I know but don't really give enough of a shit about to keep up with in real life".
4. Re:Social networking sucks by sakdoctor · 2010-05-24 00:52 · Score: 4, Insightful
  
  You're missing the point because that isn't the reality of using facebook.
  What actually happens is that when you first signed up, you naively used your real name. Then loads of people from your past, who you couldn't give two shits about, inexplicably add you.
  As a new user you aren't going to press ignore, so you confirm everyone.
  In the default mode, your front page is now full of the most verbose idiots literally broadcasting what they had for dinner.
  Finally you delete your account, because facebook is a horrible ad ridden, malware invested fad, and it's dying. Or at least becoming a zombie.
5. Re:Social networking sucks by StuartHankins · 2010-05-24 01:39 · Score: 4, Funny
  
  They were going to give him a wedgie if he didn't add them.
6. Re:Social networking sucks by adamofgreyskull · 2010-05-24 03:03 · Score: 2, Interesting
  
  You're missing the point because that isn't the reality of using facebook.
  
  In the default mode, your front page is now full of the most verbose idiots literally broadcasting what they had for dinner.
  No. I don't think he was missing the point. You can remove anyone and any application from your "feed". If you really think the people, who you added as friends, are "verbose idiots" and they are literally broadcasting what they had for dinner, then why not just remove them? Or you could just not add them in the first place? You have the choice to cease being friends with people or to not become friends with them, just as you do in real life. If you felt obligated to add them as a new user and are now scared to remove them, then it sucks to be you. If you befriended someone in real life and they kept ringing you up to tell you that they just bought some new fish and that they were about to eat McDonalds, then go and see a movie, would you sell up and move to a shack in the woods?
  
  Finally you delete your account, because facebook is a horrible ad ridden, malware invested fad, and it's dying. Or at least becoming a zombie.
  "Ad ridden"? Not noticed. There are no, or very few, obnoxious ads on there that I've seen. The ones that I have seen are text ads with no/very small pictures and all seem to be vaguely relevant and unobtrusive, and you even have the option to click on specific ads if you think they're inappropriate, or irrelevant etc. (I forget the exact options) to get rid of them. As for malware, again, not that I've noticed.
  
  Your main gripe would seem to be that Facebook is a "social networking" site and that you have no interest in being social, nor in networking. The second gripe regarding "malware" is either imaginary, or a product of your befriending of mouth-breathers...who you don't like. As for the "ad ridden" part...that's either made up, or ad-block is removing all the ads for me. (inb4 YHBT)
7. Re:Social networking sucks by Bakkster · 2010-05-24 03:04 · Score: 2, Insightful
  
  PEBKAC
  
  --
  Write your representatives! Repeal the 2nd Law of Thermodynamics!
Re:GOOD I'VE GOT A FEW FRIENDS I DON'T NEED ANYMOR by Thanshin · 2010-05-23 22:48 · Score: 4, Funny

How soon can I get them out of the picture, if you know what I mean.
Sorry but I don't think the hack goes as far as photoshopping your pictures to erase your friends from them.
Patched already by wannabgeek · 2010-05-23 22:50 · Score: 4, Informative

The CSRF bug page in the summary says that facebook confirmed that it's patched already. And the actual hacker's page says that he found if he does a little more (delete a few more parameters as well as the "post_form_id"), the CSRF resurfaces.
Anyway, he posted an update saying fb patched this one now (22 May)..

--
I'm much more funny, interesting and insightful than the moderators think
a self-copying worm code by bl8n8r · 2010-05-23 22:52 · Score: 3, Interesting

The article seems to be directed at facebook, but it sounds to me like there needs to be a browser or OS exploit first in order to work: "combine an exploit for this bug with spam or even a self-copying worm code". I'm not a facebook user (get off my lawn), but a lot of XSS flaws are browser specific and if there is a general browser exploit going on, this could affect more websites than facebook. TFA just sounds a little misdirected to me.

--
boycott slashdot February 10th - 17th check out: altSlashdot.org
1. Re:a self-copying worm code by tokul · 2010-05-24 01:58 · Score: 2, Insightful
  
  lot of XSS flaws are browser specific and if there is a general browser exploit going on, this could affect more websites than facebook
  
  It is not XSS, but CSRF. Cross-site request forgery. Such exploits are designed to exploid the way site processes user inputs. If site uses custom forms or request fields, exploit will work only on this site and in most of the cases it is not specific to some browser.
And since Facebook only notifies you of "good" new by ickleberry · 2010-05-23 23:07 · Score: 2, Insightful

It's hard to tell if your friends have been affected by this 'bug'. If someone unfriends you then you might never know, yet when you add a new one it's all over everyone else's page
At last an easy way to... by jimwormold · 2010-05-23 23:31 · Score: 2, Insightful

... delete an account from facebook!
Hey, wait a minute... by wilder_card · 2010-05-24 00:09 · Score: 3, Funny

Hackers have friends???
Bug condition: by Anci3nt+of+Days · 2010-05-24 00:24 · Score: 2, Interesting

After the bug deletes all your friends... Tom is added.
He was feeling all left out when everyone left myspace.
Can we name the bug? by Yvan256 · 2010-05-24 00:58 · Score: 2, Funny

May we suggest the name "KipDrordy" for the bug?
No Mother-in-law by ubrgeek · 2010-05-24 01:50 · Score: 3, Insightful

I didn't delete you as a friend. And now the system won't let me add you back. Damn those evil, evil hackers!

--
Bark less. Wag more.
Re:GOOD I'VE GOT A FEW FRIENDS I DON'T NEED ANYMOR by zalas · 2010-05-24 04:41 · Score: 2, Funny

I wonder how long before someone writes an app that connects Facebook friend deletion events with Photoshop's Content-aware Fill feature... They could name the app "Stalin".