DarkReading is carrying a report about research into Facebook security holes by a researcher known only as ‘theharmonyguy’. He/she is disclosing flaws that he/she has discovered in Facebook and the 3rd party applications that many people use.
So far, he/she has disclosed bugs in:
- FunSpace (8 million users)
- SuperPoke (2 million users)
- YellowPages.ca (a mere 1200 users)
with more disclosures promised for the rest of September.
All of these flaws (so far) are what’s known as cross-site scripting (XSS) flaws – you can find out more about this on Wikipedia (if you’re so inclined).
The good news – according to the researcher “… Facebook’s own applications tend to be secure, as does its site.” The problem, he/she says, lies in Facebook’s API which gives application developers full access to Facebook members’ profiles.
The key advice, however, is at the end of the article. Since there’s no certain way to avoid these attacks, ‘theharmonyguy’ says:
My No. 1 tip to users would be not to put anything on their profile that they don’t want to be public. Treat your Facebook profile as if it’s already public, and be careful what applications you install.
Sound advice on Facebook and, for that matter, any of the other social networking sites.