Feeds

Month of Facebook flaws gets underway

Every day a different hole

Securing Web Applications Made Simple and Scalable

A security researcher has vowed to reveal technical details of a series of cross-site scripting vulnerabilities involving Facebook applications during September.

theharmonyguy plans to give developers 24 hours' advance notice about flaws involving their web applications before exposing them publicly. The project takes its cue from July's Month of Twitter Bug project, during which security researcher Aviv Raff applied a similar idea to the disclosure of security flaws involving Twitter and associated services.

The "Month of..." theme for security disclosures was originally pioneered by HD Moore, of Metasploit fame, with a four week fiesta that brought new browser bugs every day back in 2006.

The month of bugs began by outlining patched flaws involving FunSpace, SuperPoke! and other applications. On Tuesday it revealed a previously unpatched flaw in an application called FarmVille. Developer Zynga acted promptly to close the hole.

A flaw in the Causes application, disclosed on Wednesday, has also been fixed. Both applications were capable of lending themselves to clickjacking. Clickjacking-style vulnerabilities creates a means for miscreants to trick prospective marks into unknowingly clicking on a link or dialogue and as such can become the fodder of XSS worms, in at least some cases.

theharmonyguy, who has made a good start with five vulnerabilities in the bag, is inviting submissions from other security researchers, who will get the credit for flaws they find.

Even with outside help it might be difficult to release a new flaw every day this month, something that is much easier when considering the wider field of browser security. Rest days in the cycle could perhaps be usefully plugged with information on rogue Facebook apps.

Rik Ferguson, a security researcher at Trend Micro, found at least 11 examples of such applications two weeks ago, as detailed in his blog here. Most of the rogue apps try to trick users into handing over their login credentials.

The fact that many use the same password and username on multiple websites means that hackers armed with Facebook login details might be able to hijack webmail accounts, in turn allowing them to attack more sensitive online banking facilities or PayPal accounts. ®

The smart choice: opportunity from uncertainty

More from The Register

next story
Putin: Crack Tor for me and I'll make you a MILLIONAIRE
Russian Interior Ministry offers big pile o' roubles for busting pro-privacy browser
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Boffins build FREE SUPERCOMPUTER from free cloud server trials
Who cares about T&Cs when there's LIteCoin to mint?
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.