Facebook Fixing Security Bug Which Exposes User Photos And Names: “

In theory, all Facebook users have had their profile image and name exposed through a bug which enables malicious hackers to scrape the data. While such information is also available for sale through companies like Flowtown, this particular security glitch makes it much more easier to collect information as long as a company has access to a large database of email addresses.

When asked for comment on the issue, Facebook provided the following statement:

We have technical systems in place to prevent people’s names and photos from showing to unrelated users upon login, but a recently introduced bug temporarily prevented these from working as intended. We are already working on a fix and expect to remedy the situation shortly. Please note that our Statement of Rights and Responsibilities (http://www.facebook.com/terms.php) dictates who and how public information can be accessed, and we prohibit people from scraping our site.

Facebook has also had a number of previous issues where information was supposedly ‘leaked’. In this case, having access to 500 million user photos and names would require you to have a database of 500 million people. Fortunately there are very few companies that have such a large database of contact information. Also much of this information is already available via Facebook’s Graph API as long as you have a user’s ID.

Generating those IDs through basic brute force techniques would not be too complicated, although it would most definitely be time consuming. However tying that data to an email address becomes a much more powerful combination apparently. Are you concerned by these types of security bugs?

(Via All Facebook.)

Cross Site Scripting (XSS) is a code injection vulnerability found in web applications and is generally used by malicious hackers to hijack a legitimate user’s session with the website. XSS vulnerabilities are caused because of improper validation of user input by the Server and then sending this invalidated input back to the user in some exploitable form. A great resource to track the latest XSS vulnerable software, websites and latest research is XSSed.com

In this 4 part video series Arne from Aachen Method gives a detailed primer on XSS.

1. Quick Overview: This video explains the basics of XSS, kinds of XSS – Persistent, Non-Persistent and DOM based.

3. Finding XSS weaknesses in websites: Pointer to Rsnake’s website http://ha.ckers.org/xss.html

4. Protecting yourself from XSS attacks as a user: By turning off scripts, not clicking on untrusted links etc.