ICANN/GNSO GNSO Email List Archives

[ga]


<<< Chronological Index >>>    <<< Thread Index >>>

[ga] Bridging the gap: Why privacy and security are so important, XIV - Facebook Bug Lets Hackers Delete Friends

  • To: ga@xxxxxxxxxxxxxx, dave.piscitello@xxxxxxxxx, ssene@xxxxxxxxxxxx, icann-board@xxxxxxxxx, rod_beckstrom@xxxxxxxxx, SenateWebmail@xxxxxxxxxxxxxxxxx
  • Subject: [ga] Bridging the gap: Why privacy and security are so important, XIV - Facebook Bug Lets Hackers Delete Friends
  • From: "Jeffrey A. Williams" <jwkckid1@xxxxxxxxxxxxx>
  • Date: Tue, 25 May 2010 18:06:39 -0500 (GMT-05:00)

All,

  The FACEBOOK lack of security or privacy saga continues.  Seems
perhaps we have a lack of technical competence in the ranks of
the FACEBOOK technical staff, and lack of managment competence
amongst FACEBOOK's leadership, not to mention a level of seeming
lack of concern and 'Action' on the part of our government agencies,
and the SSAC with respect to 'FACEBOOK.COM'...  Such behavior's
don't demonstrate well good/healthy/safe social networking or social
IT technical and managerial conscience.
See:
https://it.slashdot.org/story/10/05/24/065246/Facebook-Bug-Lets-Hackers-Delete-Friends

There's lot of talk about Facebook and privacy at the
moment, but a bug in Facebook's website lets 
http://www.computerworld.com/s/article/9177113/Hackers_can_delete_Facebook_friends_thanks_to_flaw
hackers delete Facebook friends without permission. Steven Abbagnaro, 
a student from Marist College in Poughkeepsie, New York reported the flaw, 
writing proof-of-concept code that scrapes publicly available data from users'
Facebook pages and deletes all of their friends, one by one. The victim
first has to click on a malicious link while logged into Facebook.
Abbagnaro's code exploits the same underlying flaw that was first
reported by Alert Logic security analyst, M.J. Keith, who 
http://www.alertlogic.com/enterprise/blogs/32 discovered a
cross-site request forgery bug, where the website doesn't properly check
code sent by users' browsers to ensure that they were authorized to make
changes on the site.

Regards,

Jeffrey A. Williams
Spokesman for INEGroup LLA. - (Over 300+k members/stakeholders and growing, 
strong!)
"Obedience of the law is the greatest freedom" -
   Abraham Lincoln

"Credit should go with the performance of duty and not with what is very
often the accident of glory" - Theodore Roosevelt

"If the probability be called P; the injury, L; and the burden, B; liability
depends upon whether B is less than L multiplied by
P: i.e., whether B is less than PL."
United States v. Carroll Towing  (159 F.2d 169 [2d Cir. 1947]
===============================================================
Updated 1/26/04
CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS. div. of
Information Network Eng.  INEG. INC.
ABA member in good standing member ID 01257402 E-Mail jwkckid1@xxxxxxxxxxxxx
Phone: 214-244-4827




<<< Chronological Index >>>    <<< Thread Index >>>