A couple of students have nailed a vulnerability on Facebook that would have allowed phishing websites to steal and publish data from users who don’t opt for the maximum security settings on the social network.
The fact that the vulnerability only arose on profiles that haven’t availed themselves of the highest level of security available on Facebook would seem to have lessened the urgency of the flaw — except that most people on the social network underutilize the privacy settings on the site, making the majority of users vulnerable.
So let’s tip our virtual hats to Sophos Senior Technology Consultant Graham Curley for spending quite a bit of time trying to confirm the findings of Rui Wang and Zhou Li, the students who’d pointed out the vulnerability. He hadn’t been able to see the hole the students had identified because he’d had the privacy settings at the maximum level — we’d expect nothing less than that from a security consultant.
Now if only everyone else on Facebook did the same thing! That’s why I wrote the headline you see above, suggesting that you — yes, you — might be the weakest link here, if you’re not making the most of the site’s settings for protecting privacy.
The students had notified Facebook about this vulnerability rather than explain to the public how to use the exploit. Knowing the pace at which the social network’s developers move, this security hole has probably been closed for a while now.
So the only way to see the original security problem is to check out the video the students posted on YouTube demonstrating the vulnerability — there’s no sound, so you really need to watch the screen carefully.
What do you think about this particular security vulnerability?