Feeds

Month of Facebook flaws gets underway

Every day a different hole

SANS - Survey on application security programs

A security researcher has vowed to reveal technical details of a series of cross-site scripting vulnerabilities involving Facebook applications during September.

theharmonyguy plans to give developers 24 hours' advance notice about flaws involving their web applications before exposing them publicly. The project takes its cue from July's Month of Twitter Bug project, during which security researcher Aviv Raff applied a similar idea to the disclosure of security flaws involving Twitter and associated services.

The "Month of..." theme for security disclosures was originally pioneered by HD Moore, of Metasploit fame, with a four week fiesta that brought new browser bugs every day back in 2006.

The month of bugs began by outlining patched flaws involving FunSpace, SuperPoke! and other applications. On Tuesday it revealed a previously unpatched flaw in an application called FarmVille. Developer Zynga acted promptly to close the hole.

A flaw in the Causes application, disclosed on Wednesday, has also been fixed. Both applications were capable of lending themselves to clickjacking. Clickjacking-style vulnerabilities creates a means for miscreants to trick prospective marks into unknowingly clicking on a link or dialogue and as such can become the fodder of XSS worms, in at least some cases.

theharmonyguy, who has made a good start with five vulnerabilities in the bag, is inviting submissions from other security researchers, who will get the credit for flaws they find.

Even with outside help it might be difficult to release a new flaw every day this month, something that is much easier when considering the wider field of browser security. Rest days in the cycle could perhaps be usefully plugged with information on rogue Facebook apps.

Rik Ferguson, a security researcher at Trend Micro, found at least 11 examples of such applications two weeks ago, as detailed in his blog here. Most of the rogue apps try to trick users into handing over their login credentials.

The fact that many use the same password and username on multiple websites means that hackers armed with Facebook login details might be able to hijack webmail accounts, in turn allowing them to attack more sensitive online banking facilities or PayPal accounts. ®

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story

Whitepapers

Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.