Slashdot Mirror
Facebook Fixes Bug That Allowed Users To Set Other Users' Passwords
An anonymous reader writes: Facebook has paid $15,000 (€13,600) to an independent security researcher who discovered a simple way of resetting passwords for other people's Facebook accounts, setting a new passphrase and effectively taking over profiles.
The problem was in the fact that Facebook also runs a Beta platform on beta.facebook.com. This platform's "reset password" feature did not include brute-force protection and allowed anyone to guess the six-digit verification code sent to someone's phone when resetting the password. This issue also raises another question: How many unsafe features are on Facebook's beta platform that have not been patched simultaneously with the main platform?
The problem was in the fact that Facebook also runs a Beta platform on beta.facebook.com. This platform's "reset password" feature did not include brute-force protection and allowed anyone to guess the six-digit verification code sent to someone's phone when resetting the password. This issue also raises another question: How many unsafe features are on Facebook's beta platform that have not been patched simultaneously with the main platform?
People can mark/identify others without the account owner's consent.
Any time I'm tagged anywhere, I get notified and can force remove it if I choose.
But it's not like you or anyone else can prevent someone from simply adding text to a picture with their name on it. But let's blame facebook for that too, because reasons.
Security/privacy is not exactly a priority at facebook
In relation to this article, this bug only affects people who give FB their phone number and set it to their 'account recovery' preference. I've never done either, mine works via my email, and the "code" they send is pretty damn long and includes letters/number/etc.