Whatever I am about to write can scare the hell out of you. The top two social networks Facebook & MySpace were vulnerable to a security flaws that could have possibly allowed any one to gain access to (and steal) your whole account data. A Facebook developer Yvo Schaap came across a flash security flaw that allowed him to gain access to millions of accounts on Facebook and Myspace
Schaap says in his blog
“My solution allowed full access and control to the Facebook user account that accessed my application. Did I mention this would also be untraceable since exploit actions would happen from the users IP and own domain cookie?”
Schaap further explains how the hack worked. Putting it simply the “crossdomain.xml” file used for Flash applications was open to such manipulations that could lead a hacker to gain full access and control of millions of accounts on both Facebook and Myspace.
After carefully reading his blog and the explanation of his hack I boiled down that 2 kind of users were highly vulnerable to this hack.
1). Users that had “auto-login” enabled for their account.
2). Users that viewed a vulnerable Flash App.
Facebook looks a lot more vulnerable than Myspace. After Schaap’s explanation it comes out that manipulating Facebook’s “crossdomian.xml” is relatively easier than a much complicated Myspace one. You should read his post if you want to gain more insights into this amazing trick.
Thanks to Schaap, he immediately contacted Facebook and Myspace and according to him the problem has been fixed.
What is really disturbing here is –
1). What about the potential developers who were already knowing this hack and were not ethical enough to inform it to Facebook or MySpace? Considering that Facebook has some 300k + developers it is quite logically that people already knew about it and the vulnerability was exploited.
2). Old debate but – How safe is your data online? Earlier there have been issues with Twitter. Hacker broken in and gained access to user accounts. This one is even more disturbing. We share, save, upload all sorts of public and private data on Facebook & Myspace. Social Networks are not a fun thing anymore; lots of people use to for their day to day business.
I need a more responsible social network company.URGENT & IMPORTANT: I would recommend you to go to Facebook and Myspace and change you password to avoid any further exploitation. Make sure you let your friends know about this and ask them specifically to change their account credentials. Send them a mail, tweet about this to your followers, share this on facebook, myspace , help it spread on Reddit or use one of the many share option at the bottom of the post.
No comments:
Post a Comment