A Facebook security threat that would allow anyone to access your personal data has been repaired by the company.The vulnerability was discovered by Rui Wang and Zhou Li. It enabled malicious websites to impersonate legitimate websites, and then obtain the same data access permissions on Facebook that those legitimate websites had received.
The bug occurred when a user informed Facebook of his or her willingness to share information with popular websites like ESPN.com or YouTube.
When such a request is made, Facebook passes a secret random string called an authentication token back to the requestor for identification. Whoever holds that authentication token can convince Facebook that they are, say, ESPN.com, thereby gaining unlimited access.
"Researchers at Indiana University reported a vulnerability in our Platform code to us, and we worked quickly with them to resolve it. It was fixed shortly after it was reported. We're not aware of any cases in which it was used maliciously," the statement said.
"We thank the researchers at Indiana University for bringing this to our attention, and for demonstrating the value of responsible disclosure."
