A Facebook Privacy Flaw Gave a Hacker Access to Every Single Account

You probably don't know Nir Goldshlager, but up until recently, he sure could have known you. That's because Nir discovered a major privacy flaw in Facebook's OAuth, the system developers use to access all sorts of information every time you hit that innocent, little "allow" button. Nir gained access to virtually anyone's entire Facebook account. As the hacker explained on his site:

I found a way in to get full permissions (read inbox, outbox, manage pages, manage ads, read private photos, videos, etc.) over the victim account even without any installed apps on the victim account...


And the worst part? The victim wouldn't even need to click "allow," so they were expunged from the process entirely.

Just to clarify there is no need for any installed apps on the victim's account, Even if the victim never allowed any application in his Facebook account, I could still be getting full permissions This bug works on any browser.

Fortunately, Facebook has already corrected the problem, but this is unsettling, nonetheless. This most recent revelation only makes Facebook's incomprehensibly complex privacy rules that much more menacing for the inevitable holes we have yet to find. [Nir Goldshlager via Daily Dot]



This reminds me of a line from The West Wing:

Tobey complains in passing to the Chairman of the Joint Chiefs, "Oh, and I think there may be a problem with the security on White House computers." And the Chairman replies, "White House computers aren't secure."

There's a problem with security on a social network? That's because social networks aren't secure. Even ignoring the technical aspects, they're only as secure as the least trustworthy person in your friends list. And that's a bug that can never be patched.