Facebook Bug Lets Hackers Delete Friends

swandives writes "There's lot of talk about Facebook and privacy at the moment, but a bug in Facebook's website lets hackers delete Facebook friends without permission. Steven Abbagnaro, a student from Marist College in Poughkeepsie, New York, reported the flaw, writing proof-of-concept code that scrapes publicly available data from users' Facebook pages and deletes all of their friends, one by one. The victim first has to click on a malicious link while logged into Facebook. Abbagnaro's code exploits the same underlying flaw that was first reported by Alert Logic security analyst M.J. Keith who discovered a cross-site request forgery bug, where the website doesn't properly check code sent by users' browsers to ensure that they were authorized to make changes on the site."

This is not a bug

"It's a feature."

Raising false hopes

[Thanshin]

In case you didn't RTFA, you can only delete the link between your facebook accounts, not the friends themselves.

And so dies our intricate plan to befriend our enemies and erase them from existance.

Re:Raising false hopes

[MichaelSmith]

They're a bunch of spoil sports:

5/11/2010 – Facebook notified of vulnerability
5/13/2010 – Work begins with Facebook to patch flaw.
5/14/2010 – Facebook confirms flaw is patched.

5/24/2010 – Post on slashdot.

Re:Raising false hopes

[Thanshin]

They're a bunch of spoil sports:
5/11/2010 - Facebook notified of vulnerability
5/13/2010 - Work begins with Facebook to patch flaw.
5/14/2010 - Facebook confirms flaw is patched.

5/24/2010 - Post on slashdot.

5/28/2010 - Dupe post on Slashdot.
6/15/2010 - Trupe post on Slashdot.
6/15/2010 - AskSlashdot question about whether dupe+1 = trupe or redupe. Links to original post.
6/15/2010 - Slashdot is slashdotted, creating a singular paradox.
5/24/2010 - The end of the world as we know it.

Social networking sucks

[asherlev]

I deleted my Facebook account a week or so ago, and I was, at the time, hoping that diaspora would end up being something besides vaporware. After a week without it, though, I find myself pleased with my lack of knowledge about what people I didn't like in high school had for dinner.

Re:Social networking sucks

[Fnkmaster]

Just to give you a word of support - ignore the people saying it's your fault for who you accepted as a friend. The problem is that it's easy to say "yes, this person is my friend", even if they are somebody marginal who you never particularly cared for (it's easy to click "Ignore" for evil ex-girlfriends and the real assholes from high school). But it's very hard to rethink that and unfriend them in such a public forum later on, and have to deal with awkward questions about why you unfriended so-and-so. However, that is what Facebook made the "hide this person's updates" feature for - when somebody isn't egregiously awful enough to unfriend, but you just don't want to see their bullshit updates anymore.

In any case, I didn't actually delete my Facebook account, but I have cleared out any information but the absolute basics. And I began an experiment by avoiding logging into Facebook for a week. I found that I rapidly reverted to visiting other websites and finding other things online to fill my down time at work.

I believe the reason Facebook is so addictive is the feed mechanism. It fills our psychological need for gossip and trivial sorts of information about friends. However, like many addictive things, I think too much of a "good" thing (and by good thing, I mean it's fun, enjoyable, makes us feel connected) is no longer a good thing. While I want to know when old friends go back to grad school, get engaged, married, or have their first kids, I don't really want to hear somebody's snarky comments about their workplace, read about their lost cell phone, hear about how they just bought an iPad and it's changed their lives, or read about their drunken escapades.

So the point - I agree with you, and I think we are both going to be happier, with cleaner, fresher, less cluttered minds for turning our backs on this inane distracting chatter. Saying "I'm Facebook friends with them" has become synonymous with "they are somebody I know but don't really give enough of a shit about to keep up with in real life".

Re:Social networking sucks

[sakdoctor]

You're missing the point because that isn't the reality of using facebook.

What actually happens is that when you first signed up, you naively used your real name. Then loads of people from your past, who you couldn't give two shits about, inexplicably add you.
As a new user you aren't going to press ignore, so you confirm everyone.

In the default mode, your front page is now full of the most verbose idiots literally broadcasting what they had for dinner.

Finally you delete your account, because facebook is a horrible ad ridden, malware invested fad, and it's dying. Or at least becoming a zombie.

Re:Social networking sucks

[StuartHankins]

They were going to give him a wedgie if he didn't add them.

Re:GOOD I'VE GOT A FEW FRIENDS I DON'T NEED ANYMOR

[Thanshin]

How soon can I get them out of the picture, if you know what I mean.

Sorry but I don't think the hack goes as far as photoshopping your pictures to erase your friends from them.

Patched already

[wannabgeek]

The CSRF bug page in the summary says that facebook confirmed that it's patched already. And the actual hacker's page says that he found if he does a little more (delete a few more parameters as well as the "post_form_id"), the CSRF resurfaces.

Anyway, he posted an update saying fb patched this one now (22 May)..