ITsecurity
twitter facebook rss

A serious unfixed flaw in Facebook – maybe

Posted by on November 13, 2014.

Vivek Bansal wrote to me.

I have something fantastic to share with you all which can give your readers an interesting read ! This story is to bring your attention on a very serious security breach from Facebook and their casual attitude towards it.

Some 11 months ago Bansal responsibly reported a Facebook flaw. Facebook was sufficiently grateful to award him a $2000 bounty and include him on their Thanks! …for making a responsible disclosure to us page.

FBthanks

But, he tells me now, almost a year later Facebook has still not fixed it.

But recently I noticed that NO ACTION was taken on that loophole. I was able to reproduce and breaching their security(AGAIN), with the same script(I wrote and submitted to them). I was shell shocked. Seriously, it did the same thing in the same manner as earlier one!.

As proof of this he pointed me towards a YouTube video in which he posts to Katey Holmes’ wall without permission. OK; not Katie Holmes, but Katey Holmes.

Katie Holmes:

Wikipedia: Katie Holmes

Wikipedia: Katie Holmes

Katey Holmes:

Facebook: Katey Holmes

Facebook: Katey Holmes

The problem I have with Vivek’s claim is that sort of name confusion is typical scam material. It gets worse. From Bansal’s LinkedIn account we see that he used to work at inoXapps. And from TECHGIG we find that there’s a research fellow at inoXapps called Katey Holmes.

Katey Holmes on TECHGIG

Katey Holmes on TECHGIG

Now I’m no Facebook aficionado, so frankly I cannot comment on the veracity of Bansal’s claims. What I do suggest, however, is that two technical colleagues could easily concoct a very convincing fake video. So what is this? Is Facebook being really sloppy and unprofessional; is it a practical joke; is Bansal looking for publicity; or is it a test of the media’s gullibility?

I don’t know. I’ve asked Facebook to comment, and will update this post with any reply I get. After all – if he’s being completely honest, we really don’t want a flaw like this floating around Facebook.

UPDATE: (14/11/2014, 09:30 GMT)
First strike to Vivek Bansal. It is now more than 25 hours since I received: “We know you might be on deadline, so we’ll do our best to get back to you as soon as possible” from Facebook. Nothing further.

UPDATE: (15/11/2014; 09:25 GMT)
Strike 2 to Vivek Bansal. Now 48 hours since Facebook said it would get back to me as soon as possible. Whatever the status of the flaw, he’s right in accusing them of a ‘casual attitude’.

UPDATE: (18/11/2014: 12:30 GMT)
Well it’s now more than 5 days since Facebook said “we’ll do our best to get back to you as soon as possible.””we’ll do our best to get back to you as soon as possible.” I’d hate to be waiting for something where they won’t do their best. I’ve repeated my query and will let you know.


Share This:
Facebooktwittergoogle_plusredditpinterestlinkedinmail

Leave a Reply

Your email address will not be published. Required fields are marked *

Submitted in: News, News_hacks, News_vulnerabilities | Tags: , , , ,