The 5000-dollar gap on Facebook


After Facebook has removed a vulnerability documented the discovery AMol Naik, where and how he found it. That he had previously reported in confidence on Facebook, he pocketed a bonus of $ 5,000. The security problem is called Cross Site Request Forgery - CSRF shortly. In this case, an attacker can simply by calling a specific URL with appropriate parameters to perform an action in the context of a logged-on user.

Specifically AMol Naik could add, for example, apparently without any user an app in Facebook's new AppCenter. The victim had only to call a suitably crafted web page while it was logged into Facebook. Such gaps have been frequently utilized for Facebook worms or mass distribution of spam messages.

Normally, web sites protect against CSRF manipulations by creating for each valid session token that is sent with each request to be valid. A script on another web site does not have access to this token and therefore can not create a valid request. Unfortunately, the new web application is on the Facebook server apparently does not control the accuracy of the provided token fb_dtsg. After the notification, the Facebook security team has corrected this omission but held within a day.

No comments:

Post a Comment