Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Submission + - FYI: That Facebook Account Hijacking Bug Wasn't Really Fixed (securityledger.com)

chicksdaddy writes: Remember that dangerous security hole that would allow attackers to manipulate Skype and Dropbox to hijack your Facebook account? The one Skype and Dropbox both said they 'fixed' last week? Well, it turns out that the celebration was a bit premature. The truth is that the same vulnerability may exist for hundreds, thousands or even hundreds of thousands of other web sites that are linked to the 9 million-plus Facebook applications, according to Nir Goldshlager, the Israeli security researcher who discovered the vulnerability.

Goldshlager described the vulnerability, which he named the “UnFix Bug” in a blog post on Wednesday (http://www.breaksec.com/?p=6039). He also provided details of the hole to the online publication TechCrunch, which wrote about it, and declared the problem 'fixed' and Goldshlager a "hero."(http://techcrunch.com/2013/04/03/goldschlager-saves-the-day/) )...which is true — for the _two_ redirection vulnerabilities at Skype.com and Dropbox.com that Goldshlager used in his proof of concept.

The problem is that similar redirect flaws exist in many domains linked to Facebook applications. Any of those could be used to steal Facebook users’ credentials, Goldshlager explained. “This is a design flaw in Facebook OAuth,” he wrote. “Most ...sites today suffers from site redirection issues, andan attacker also (is) able to use a subdomains (sp) of the owner (application).”

Popular application publishers like Zynga are a natural target, given their prevalence on Facebook accounts and their large web presence. Redirect holes in Zynga.com or any of its subdomains could be used, in conjunction with any Zynga application, to steal user credentials. Even Skype and Dropbox could still be vulnerable, Goldshlager wrote, provided an attacker can find a site redirection hole somewhere on Skype.com, dropbox.com or any of their subdomains.

The Security Ledger has the full story.(http://securityledger.com/that-facebook-account-hijack-vulnerability-is-still-dangerous-heres-why/)

This discussion was created for logged-in users only, but now has been archived. No new comments can be posted.

FYI: That Facebook Account Hijacking Bug Wasn't Really Fixed

Comments Filter:

Executive ability is deciding quickly and getting somebody else to do the work. -- John G. Pollard