Crusty API opened Facebook accounts to hijacking


Userlevel 7
By Darren Pauli, 10 Jul 2014
 
A leftover API that Facebook forgot to kill has left accounts open to spammers and scammers, says security Stephen Sclafani. The flaw means an attacker could view other users' messages and post status updates.
Sclafani found that a then mis-configured endpoint, since patched, allowed legacy REST API calls to be made on behalf of any Facebook fanatic provided their user ID was known.
http://pubads.g.doubleclick.net/gampad/ad?iu=/6978/reg_security/front&sz=300x250%7C300x600&tile=3&c=33U76NH6wQrMoAAE0GsP4AAAKH&t=ct%3Dns%26unitnum%3D3%26unitname%3Dwww_top_mpu%26pos%3Dtop%26test%3D0The REST API endpoint was the still-active predecessor of Facebook's core Graph API that allowed developers to read and write data to Facebook.
 
The Register/ Full Read hERE/ http://www.theregister.co.uk/2014/07/10/crusty_api_opened_facebook_accounts_to_hijacking/

0 replies

Be the first to reply!

Reply