By Jacob Collins |Staff Writer|
As of Nov. 14, Facebook has not yet patched a security flaw discovered in 2013, according to security researcher Vivek Bansal.
The flaw exploits Facebook’s permissions allowing the user to post on others walls as someone else through apps that should only allow you to access basic profile information.
Bansal reported the security flaw to Facebook security in October 2013 and was awarded $2,000 as part of their bug bounty program in which they pay security researchers who find security flaws and report them to Facebook.
“I was surprised to discover that in fact no action had been taken to repair the loophole I had originally found. Indeed, I was able to reproduce my exploit and breach their security again using the same script. I was shocked that everything went off as it had before, so I wrote them again expressing my concerns,” stated Bansal in an article on informationsecuritybuzz.com.
Students, even if they do not use Facebook themselves, understand the concern.
“I don’t use Facebook but I can understand why people would be upset by this,” said student Brian Ponce.
Facebook’s bug bounty program rewards security researchers for finding security flaws in Facebook as long as they follow Facebook’s reasonable disclosure policy. Many of the researchers who have successfully found bugs have been added to the “wall of fame” on Facebook’s bug bounty program.
One CSUSB student said that they were a victim of an attack like this before.
“I’ve had that happen to my friend before. They posted on my page when it wasn’t really them,” said Savannah Barras.
This isn’t the first time that Facebook, like many other tech giants, has dealt with security vulnerabilities.
In 2013, Khalil Shreateh discovered a bug which allowed a user to post on others timelines even if they were not friends. According to Shreateh, he was told that it was not a bug by Facebook, so he used it to make a post on Mark Zuckerberg’s, CEO of Facebook, wall to notify Facebook of the validity of the bug.
The bug that Shreateh found has since been fixed.
In January, Facebook paid Reginaldo Silva, a computer engineer, $33,500 for finding a remote code execution vulnerability in OpenID, which Facebook uses for log-ins.
According to Facebook, in 2013, a total of $2 million was awarded through the bug bounty program.
$1.5 million of the $2 million was spread out between researchers in 2013.
It is unknown when or if the security hole will be fixed by Facebook.
Leave a Reply