Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?

Submission + - FYI: That Facebook Account Hijacking Bug Wasn't Really Fixed (

chicksdaddy writes: Remember that dangerous security hole that would allow attackers to manipulate Skype and Dropbox to hijack your Facebook account? The one Skype and Dropbox both said they 'fixed' last week? Well, it turns out that the celebration was a bit premature. The truth is that the same vulnerability may exist for hundreds, thousands or even hundreds of thousands of other web sites that are linked to the 9 million-plus Facebook applications, according to Nir Goldshlager, the Israeli security researcher who discovered the vulnerability.

Goldshlager described the vulnerability, which he named the “UnFix Bug” in a blog post on Wednesday ( He also provided details of the hole to the online publication TechCrunch, which wrote about it, and declared the problem 'fixed' and Goldshlager a "hero."( )...which is true — for the _two_ redirection vulnerabilities at and that Goldshlager used in his proof of concept.

The problem is that similar redirect flaws exist in many domains linked to Facebook applications. Any of those could be used to steal Facebook users’ credentials, Goldshlager explained. “This is a design flaw in Facebook OAuth,” he wrote. “Most ...sites today suffers from site redirection issues, andan attacker also (is) able to use a subdomains (sp) of the owner (application).”

Popular application publishers like Zynga are a natural target, given their prevalence on Facebook accounts and their large web presence. Redirect holes in or any of its subdomains could be used, in conjunction with any Zynga application, to steal user credentials. Even Skype and Dropbox could still be vulnerable, Goldshlager wrote, provided an attacker can find a site redirection hole somewhere on, or any of their subdomains.

The Security Ledger has the full story.(

This discussion was created for logged-in users only, but now has been archived. No new comments can be posted.

FYI: That Facebook Account Hijacking Bug Wasn't Really Fixed

Comments Filter:

You can tell how far we have to go, when FORTRAN is the language of supercomputers. -- Steven Feiner