Feeds

Month of Facebook flaws gets underway

Every day a different hole

Beginner's guide to SSL certificates

A security researcher has vowed to reveal technical details of a series of cross-site scripting vulnerabilities involving Facebook applications during September.

theharmonyguy plans to give developers 24 hours' advance notice about flaws involving their web applications before exposing them publicly. The project takes its cue from July's Month of Twitter Bug project, during which security researcher Aviv Raff applied a similar idea to the disclosure of security flaws involving Twitter and associated services.

The "Month of..." theme for security disclosures was originally pioneered by HD Moore, of Metasploit fame, with a four week fiesta that brought new browser bugs every day back in 2006.

The month of bugs began by outlining patched flaws involving FunSpace, SuperPoke! and other applications. On Tuesday it revealed a previously unpatched flaw in an application called FarmVille. Developer Zynga acted promptly to close the hole.

A flaw in the Causes application, disclosed on Wednesday, has also been fixed. Both applications were capable of lending themselves to clickjacking. Clickjacking-style vulnerabilities creates a means for miscreants to trick prospective marks into unknowingly clicking on a link or dialogue and as such can become the fodder of XSS worms, in at least some cases.

theharmonyguy, who has made a good start with five vulnerabilities in the bag, is inviting submissions from other security researchers, who will get the credit for flaws they find.

Even with outside help it might be difficult to release a new flaw every day this month, something that is much easier when considering the wider field of browser security. Rest days in the cycle could perhaps be usefully plugged with information on rogue Facebook apps.

Rik Ferguson, a security researcher at Trend Micro, found at least 11 examples of such applications two weeks ago, as detailed in his blog here. Most of the rogue apps try to trick users into handing over their login credentials.

The fact that many use the same password and username on multiple websites means that hackers armed with Facebook login details might be able to hijack webmail accounts, in turn allowing them to attack more sensitive online banking facilities or PayPal accounts. ®

Internet Security Threat Report 2014

More from The Register

next story
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
You stupid BRICK! PCs running Avast AV can't handle Windows fixes
Fix issued, fingers pointed, forums in flames
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
How to determine if cloud backup is right for your servers
Two key factors, technical feasibility and TCO economics, that backup and IT operations managers should consider when assessing cloud backup.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Choosing a cloud hosting partner with confidence
Download Choosing a Cloud Hosting Provider with Confidence to learn more about cloud computing - the new opportunities and new security challenges.