A bad week for Facebook, MySpace

Posted by kent on November 5th, 2009

I thought I was using hyperbole on Tuesday when I used the headline "Another day, another Facebook attack." Or maybe I should have just saved it for today. While Tuesday's news concerned a phishing attack, today's attack is far more insidious. According to the Facebook application developer that discovered the Facebook security vulnerability, it could potentially exploit Adobe's Flash plugin and Facebook's auto-login feature.

a active session, or a "auto login"-cookie and a URL which hosts a exploiting Flash file. For example when accessed, a automatic "post update" could be made, that would lure friends of the user to access the exploit URL, and the exploit would spread virally.(sic)

Basically, it works like this: you decide to share some awesome new Flash site (such as a browser-based game), not knowing that it's an exploit. You hit "share." If you have auto-login enabled, your Facebook login data is transferred to the nefarious referring site. Since you're sharing that site, others click on it. It steals their info, ad-infinitum.

It's important to note that so far there's no evidence that this has actually happened. The potential was discovered by a concerned developer and reported so the hole would be closed. The folks at Facebook are aware of the problem, and they claim that no one's data has been compromised. They gave the following statement to TechChrunch:

The security of our users is a top priority for Facebook and we worked with the researcher who identified the issue to fix it. We have not received any reports that it was ever exploited.

MySpace has apparently fixed the bug, and from Facebook's statement it seems that a fix is either in-place or imminent. But it may make you wonder if there's any way, other than cutting your Internet connection, that you can protect yourself. You don't have much control over Facebook's vulnerabilities, but identity theft protection is a good way to protect yourself in the online and offline world.