Is it true that a hacker could have accessed every single Facebook account due to a privacy flaw? Actually, yes. And he wrote about how he did it on his blog.
Gizmodo reported Monday that web applications security specialist Nir Goldshlager posted details of how he was able to gain access to any Facebook account he wanted because of a flaw in Facebook's OAuth -- a method of authentication used by the social network.
Goldshlager explained how he was able to exploit Facebook privacy flaw and "steal unique access tokens" that give him access to a person's full Facebook account on his blog. The hacker says the only way users can protect themselves from this type of hack would be to change their passwords.
Luckily, Goldshlager was not looking to exploit Facebook users and reported the security flaw to the social network so the loophole could be fixed.
Facebook confirmed Goldshlager's claims and says it has fixed the privacy flaw. The social network released this statement to CBS News via email:
We applaud the security researcher who brought this issue to our attention and for responsibly reporting the bug to our White Hat Program. We worked with Mr. Goldshlager to make sure we understood the full scope of the vulnerability, which allowed us to fix it without any evidence that this bug was exploited in the wild. Due to the responsible reporting of this issue to Facebook, we have no evidence that users were impacted by this bug. We have provided a bounty to the researcher to thank them for their contribution to Facebook Security.
KKTV firmly believes in freedom of speech for all and we are happy to provide this forum for the community to share opinions and facts. We ask that commenters keep it clean, keep it truthful, stay on topic and be responsible. Comments left here do not necessarily represent the viewpoint of KKTV 11 News.
If you believe that any of the comments on our site are inappropriate or offensive, please tell us by clicking “Report Abuse” and answering the questions that follow. We will review any reported comments promptly.powered by Disqus