Alert Logic Security Advisory - Facebook

Release Date: 05/17/2010

Last Update: 05/17/2010

Criticality: Critical

Impact: Exposure of sensitive information

Status: Patched 05/14/2010 at 4:45pm

Software: Facebook.com

CVE Reference: No CVE References

Description
Alert Logic discovered a vulnerability in Facebook that could have led to exposure of private information or defacement of user pages. If the user clicked a specially crafted link while signed into Facebook, the attacker would have been able to modify user privacy settings or alter the user’s profile. An example of the vulnerability is below.

Bug description
Facebook uses a token called "post_form_id" to prevent CSRF attacks. If an attacker created a page with an automatic post and omitted the "post_form_id" entirely, the server side scripts would not attempt to validate the request and save the submitted values.

Solution
Alert Logic worked with Facebook to resolve the issue.   Facebook recommends that users should not click on suspicious links, even if the link was sent by a friend.

Facebook encourages security researchers who identify vulnerabilities that affect Facebook to report such vulnerabilities here.

Discovered by
M.J. Keith  - Senior Security Analyst

Change log
5/11/2010 – Facebook notified of vulnerability
5/13/2010 – Work begins with Facebook to patch flaw.
5/14/2010 – Facebook confirms flaw is patched.

Technical analysis
Will be posted at a later date.

M.J. Keith
Monday 14, Jun 2010
Posted by M.J. Keith


Write a comment

  • Required fields are marked with *.

If you have trouble reading the code, click on the code itself to generate a new random code.