Researcher Paid a Bounty, But Exploit Remains
By Varun Haran, December 1, 2014 http://ef67fc04ce9b132c2b32-8aedd782b7d22cfe0d1146da69a52436.r14.cf1.rackcdn.com/facebook-flaw-remains-unpatched-showcase_image-10-a-7619.jpg A year after Facebook received a bug report regarding a loophole in its app architecture, the vulnerability remains exploitable, says the researcher who discovered this potential threat to user privacy.Vivek Bansal, a Delhi-based app developer, discovered a loophole in Facebook's third-party app integration system that can be maliciously exploited by apps interacting with Facebook. Through this exploit, apps can post to a user's Facebook wall and, on behalf of the user, to their friend's walls - without the user's consent. Bansal says that this flaw remains exploitable as of this writing, and is a potential privacy concern for all Facebook users.
In response to Information Security Media Group's queries, Facebook says that this behavior was the result of a system that allowed apps to offer users the ability to interact with Facebook without having to ask for personal information like passwords. Facebook says it has countered this loophole with automated systems that monitor for abuse.
Full Article