Researchers found authentication flaw in Facebook that allowed malicious sites to steal users data, post bad links to profiles Facebook has quietly fixed a vulnerability discovered recently by two student researchers that allowed malicious websites to access a Facebook user’s private data without permission and post malicious links onto their profile. See also: Social Media Risks: The BasicsStudents Rui Wang and Zhou Li contacted security firm Sophos and told them the flaw they found made it possible for any web site to impersonate other sites which had been authorized to access users’ data such as name, gender and date of birth. In other words, if a user has accessed any site – such as YouTube, or gaming sites and news sites — and had given the site access to their Facebook profile, the potential was there for a malicious site to have access to their sensitive data. The researchers also found it was possible for the malicious site to pose as a legitimate web site and publish content on the visiting users’ Facebook wall — a common way malware is spread on the social network.The user was at risk if they were to visit a malicious web site while logged into Facebook. The flaw was the result of a problem with in one of Facebook’s authentication mechanisms. The students explain the problem in a YouTube video found here.The vulnerability has already been addressed by Facebook, since the students practiced responsible disclosure and informed Facebook’s security team about the flaw. Facebook Security responded by fixing the vulnerability quickly, according to Sophos’ Graham Cluley. “Clearly Facebook’s website is a complex piece of software, and it is almost inevitable that vulnerabilities and bugs will be found from time to time,” said Cluley. “The risk is compounded by the fact that there’s so much sensitive personal info about users being held by the site — potentially putting many people at risk.”Facebook has fixed many research-discovered bugs in recent years. Earlier this year it patched a flaw that allowed private chats to be made public. Last week, Facebook announced new security enhancements on the site. Related content feature Top cybersecurity M&A deals for 2023 Fears of recession, rising interest rates, mass tech layoffs, and conservative spending trends are likely to make dealmakers cautious, but an ever-increasing need to defend against bigger and faster attacks will likely keep M&A activity steady in By CSO Staff Sep 22, 2023 24 mins Mergers and Acquisitions Mergers and Acquisitions Mergers and Acquisitions brandpost Unmasking ransomware threat clusters: Why it matters to defenders Similar patterns of behavior among ransomware treat groups can help security teams better understand and prepare for attacks By Joan Goodchild Sep 21, 2023 3 mins Cybercrime news analysis China’s offensive cyber operations support “soft power” agenda in Africa Researchers track Chinese cyber espionage intrusions targeting African industrial sectors. By Michael Hill Sep 21, 2023 5 mins Advanced Persistent Threats Cyberattacks Critical Infrastructure brandpost Proactive OT security requires visibility + prevention You cannot protect your operation by simply watching and waiting. It is essential to have a defense-in-depth approach. By Austen Byers Sep 21, 2023 4 mins Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe