Magazine article USA TODAY

Facebook Almost Poned in Website Fraud

Magazine article USA TODAY

Facebook Almost Poned in Website Fraud

Article excerpt

A Facebook security vulnerability discovered by a pair of doctoral students at the School of Informatics and Computing at Indiana University, Bloomington, that allowed malicious websites to uncover visitors' real names, access their private data, and post bogus content on their behalf has been repaired, Facebook maintains.

The vulnerability discovered by Rui Wang and Zhou Li enabled malicious websites to impersonate legitimate ones, then obtain the same data access permissions on Facebook that those legitimate websites had received. Wang and Li say the vulnerability occurred when a user informed Facebook of his or her willingness to share information with popular websites like or YouTube. Whenever a website makes such a request to Facebook, via the user's browser, Facebook passes a secret random string called an authentication token back to the requester for identification. Whoever holds that authentication token can convince Facebook that he or she is, let us say,, and then gain unfettered access to the shared data.


Facebook confirmed the discovery and, in a statement, said the problem has been repaired and that the belief was that no sites had been compromised.

The researchers identified a flaw in the way the token was transmitted using two flash objects: one inside Facebook's iframe passes the token to the second, which, in this case would be embedded at The transfer mode can be selected through "transport='flash'" with the security guarantee being that both flash objects are supposed to come from the same domain (Le., Facebook) before they can talk.

The researchers found, however, that such a same-domain assumption is not always valid because Adobe Flash allows cross-domain communication with an unpredictable domain name that is prepended by an underscore symbol in the connection name. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed


An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.