October 31, 2014

Facebook fixes a couple of potentially dangerous security flaws

facebook-logo-300x300(LiveHacking.Com) –  Over the last few days Facebook has fixed a couple of potentially dangerous security flaws: a web cam vulnerability and a bug in Facebook Stories.

The social networking giant patched a security flaw that allowed hackers to switch on a remote webcams, without the victim’s knowledge, and post recorded videos to their profiles.

The vulnerability was reported to Facebook in July by Aditya Gupta and Subho Halder, the founders of a security company XY Security. Under Facebook’s security vulnerability bounty scheme the pair where paid $2,500 for the information, five times the usual price.

The flaw was found in the webcam video upload feature. It appears that Facebook didn’t have proper security checks built into the feature. By exploiting the vulnerability, an attacker could trick a user into silently recording from their webcam and publish the result without the user’s knowledge.

“This vulnerability, like many others we provide a bounty for, was only theoretical, and we have seen no evidence that it has been exploited in the wild,” Wolens wrote in an e-mail to Bloomberg. “Essentially, several things would need to go wrong — a user would need to be tricked into visiting a malicious page and clicking to activate their camera, and then after some time period, tricked into clicking again to stop/publish the video.”

The second fix was to Facebook’s Stories website. The site has a feature called “New Year’s Midnight Delivery” which allows users to write messages to friends that will be automatically sent after midnight. According to Aberystwyth University student Jack Jenkins it was possible to change the message ID in the confirmation URL, displayed after sending a message, to read and delete other users’ messages.

Facebook took the “Midnight Delivery” feature offline temporarily to patch the vulnerability and according to an update to Jenkins’ blog the bug has now been fixed.

Share and Enjoy:
  • Print
  • Digg
  • StumbleUpon
  • del.icio.us
  • Facebook
  • Yahoo! Buzz
  • Twitter
  • Google Bookmarks