Feeds

Month of Facebook flaws gets underway

Every day a different hole

Beginner's guide to SSL certificates

A security researcher has vowed to reveal technical details of a series of cross-site scripting vulnerabilities involving Facebook applications during September.

theharmonyguy plans to give developers 24 hours' advance notice about flaws involving their web applications before exposing them publicly. The project takes its cue from July's Month of Twitter Bug project, during which security researcher Aviv Raff applied a similar idea to the disclosure of security flaws involving Twitter and associated services.

The "Month of..." theme for security disclosures was originally pioneered by HD Moore, of Metasploit fame, with a four week fiesta that brought new browser bugs every day back in 2006.

The month of bugs began by outlining patched flaws involving FunSpace, SuperPoke! and other applications. On Tuesday it revealed a previously unpatched flaw in an application called FarmVille. Developer Zynga acted promptly to close the hole.

A flaw in the Causes application, disclosed on Wednesday, has also been fixed. Both applications were capable of lending themselves to clickjacking. Clickjacking-style vulnerabilities creates a means for miscreants to trick prospective marks into unknowingly clicking on a link or dialogue and as such can become the fodder of XSS worms, in at least some cases.

theharmonyguy, who has made a good start with five vulnerabilities in the bag, is inviting submissions from other security researchers, who will get the credit for flaws they find.

Even with outside help it might be difficult to release a new flaw every day this month, something that is much easier when considering the wider field of browser security. Rest days in the cycle could perhaps be usefully plugged with information on rogue Facebook apps.

Rik Ferguson, a security researcher at Trend Micro, found at least 11 examples of such applications two weeks ago, as detailed in his blog here. Most of the rogue apps try to trick users into handing over their login credentials.

The fact that many use the same password and username on multiple websites means that hackers armed with Facebook login details might be able to hijack webmail accounts, in turn allowing them to attack more sensitive online banking facilities or PayPal accounts. ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
Ello? ello? ello?: Facebook challenger in DDoS KNOCKOUT
Gets back up again after half an hour though
SHELLSHOCKED: Fortune 1000 outfits Bash out batches of patches
CloudPassage points to 'pervasive' threat of Bash bug
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.