Security Researchers Expose Facebook Flaws

Security researcher Nitesh Dhanjani told CNET Facebook is vulnerable to attacks that allow hackers to hijack accounts while users of the social-networking site are interacting with other Websites, adding that a Facebook design flaw is enabling third-party apps to access user profile data without their permission.

Facebook spokesman Simon Axten responded to CNET:

The only information apps can access without first showing the “Allow” screen is publicly available information (the limited set of info that includes name, profile picture, gender, networks, friend list and pages) and information set to be visible to everyone on the Internet.

Dhanjani and Israeli security researcher Shlomi Narkolayev both told CNET hackers are using Websites that show videos or resemble e-commerce sites to hide Facebook login pages and open users’ accounts without them knowing.

Narkolayev wrote on his blog:

Using ClickJacking, I also could fool users to click whatever I want: adding me as their friend, delete their account, and even open their camera and microphone using flash (Older versions then 10.x), or install Facebook applications that post their Web camera and microphone every time they connected to Facebook. Just use your imagination on what you want others to click on…Transfer to you poker chips???

Narkolayev demonstrated ClickJacking in the video below: