Fortunately for Facebook, developer and Web security expert Nir Goldshlager wears a white hat, and not a black one: For the second time in less than one month, Goldshlager alerted the social network about a potentially dangerous loophole that could have led to users’ account information being compromised.
We reported last month that Goldshlager detailed in a blog post how he experimented with adding different coding and characters to Facebook URLs and was able to create an application that disguised itself as another app that does not require users to accept it, Facebook Messenger, and gain access to users’ Facebook data.
A Facebook spokesperson told Business Insider after the February incident:
We applaud the security researcher who brought this issue to our attention and for responsibly reporting the bug to our white hat program. We worked with the team to make sure we understood the full scope of the vulnerability, which allowed us to fix it without any evidence that this bug was exploited in the wild. Due to the responsible reporting of this issue to Facebook, we have no evidence that users were impacted by this bug. We have provided a bounty to the researcher to thank him for his contribution to Facebook Security.
Goldshlager found a similar vulnerability, also tied to Facebook Messenger, and reported it to Facebook Security, again receiving a reward for his efforts. For those interested in the highly technical details, please see his blog post.
It was a very similar bug (with a similar fact pattern) and, as you can see from the post, we were able to fix it almost immediately. We have provided bounties to over 200 researchers, and Mr. Goldshlager has reported multiple vulnerabilities to us in the past.
And Facebook said in a statement, as reported by MarketWatch:
We have no evidence that users were impacted by this bug. We have provided a bounty to the researcher to thank them for their contribution to Facebook Security.
Readers: Do these exposed vulnerabilities make you nervous about the security of your account information?
Image courtesy of Shutterstock.