Security experts are warning there is more to come as it emerged this week that Facebook user’s pages were exposed to ‘third parties’ and hacking accounts was possible.
Click to enlarge
Security experts Symantec, said this week it discovered a glitch in Facebook’s settings this week which allowed advertisers and other analytic platforms access users pages on ‘private’ settings.
The Social Network accidently leaked ‘tokens’ to third parties which allowed them look at users profiles, pictures, chat and other private data.
However, there’s more to come, says Ty Miller, Chief Technology Officer from Pure Hacking, who told ChannelNews social networking sites frequently fall prey to weak access controls, so it’s no surprise the breach took place.
“Access controls are a major security concern in all online applications, and are commonly found in our web application penetration test reports.”
“During our web application penetration tests we find that complex web applications, such as social networking sites, often contain serious vulnerabilities such as weak access controls.”
“This won’t be the last access control issue found with Facebook,” he warned.
Such system ‘vulnerabilities’ can result in anything from information disclosure through to full account compromise.
Facebook have stated that “most access tokens expire in two hours”,
however, this doesn’t hold much ground when an attack can be automated
to run every two hours.
When such an attack is automated, it can be used to download the
personal data of every user in the system, or perform actions within
every user account.
Access control vulnerabilities also have an extreme impact when the application supports financial transactions, says Miller.
Thus it gets worse. The social network, is currently running a trial to sell coupons to capture a chunk of the Groupon market, which means that some of its user bank account details could have been compromised, similar to the hacking of the Sony Playstation network.
“This will dramatically increase compromised Facebook account sale prices on the black market,” Miller warns, adding Facebook accounts were found to be easily hacked, when using information just found on the net.
“Last week I had to do a penetration test targeted at compromising specific Facebook accounts using only information available on the Internet.
This was successfully achieved by compromising the victim’s Hotmail account and then using the “Forgotten Password” feature to reset their Facebook password.”
“We have reported this issue to Facebook, who has taken corrective action to help eliminate this issue,” Symantec confirmed.
Facebook also admitted the error, and have notified changes on their end to prevent such leakages from reoccurring.