Recent research has shown that Facebook is susceptible to attacks that could allow users to hijack another user’s active account. Reseacher Nitesh Dhanjani said a design flaw in Facebook was granting third-party apps permission to access user profile data without express approval from users.
Facebook used to display a pop-up window warning users when they added any third-party app that doing so would authorize the app to get access to user profile information. This allowed users to change their mind before adding the app.
According to Dhanjani, the company has changed its policy and now some applications can choose to use a new implicit authorization feature that does not warn Facebook users that a third-party app is trying to request their data.
“This allows Facebook to gain increased adoption of third-party applications, which can translate to revenue”, he said.
Simon Asten, Facebook spokesman, sought to down play the problem, saying “the only information apps can access without first showing the ‘Allow’ screen is publicly available information (the limited set of info that includes name, profile picture, gender, networks, friend list and pages) and information set to be visible to everyone on the internet.”
In a separate but related research program, Dhanjani and Israeli security researcher Shlomi Narkolayev said attackers could use click-jacking attacks to hijack Facebook accounts by tricking users into clicking on sites hiding malicious code.
A website that looks like an e-commerce site or shows videos could hide a Facebook log-in page behind it so that when a user clicks on the site to play a video, for instance, the user’s account is opened instead behind the scenes, without the user realizing it.
Asten added that the attack examples were standard click-jacking and not unique to Facebook.
“We are building some additional protections for these types of attacks and reminding people to be cautious of any message, post, or link they find on Facebook or elsewhere on the Internet that looks suspicious”, he said.
He added that Facebook has advanced systems to detect and block the posting and sending of malicious links on it.
“If we learn of a site that is using click jacking against our users, we would add it to our blacklist to avoid it spreading through the network. We also work with third parties to get malicious sites added to browser blacklists or taken down completely”, said Asten.
by Ikechukwu Osodo