Social Networking Sites Patch Security Flaws

A security researcher recently uncovered numerous cross-site scripting vulnerabilities in Twitter, Facebook and MySpace.

The social networking sites have patched all the bugs, which were discovered by Nir Goldshlager of Avnet Information Security Consulting and shared with the sites a few weeks ago.

Security breach

“When a user logs in to www.facebook.com, www.twitter.com or www.myspace.com, he is automatically logging in to m.facebook.com and touch.facebook.com, mobile.twitter.com, m.myspace.com with the same session ID cookie value that was used for [the other sites],” Goldshlager said. “Facebook uses an HTTP-only flag to avoid cookie stealing from cross-site scripting attacks, but an attacker doesn’t need to steal the valid cookie or session IDs of the victim to perform unwanted actions on the victim’s account in Facebook or MySpace.”

Successful exploitation meant gaining control over the victim’s account, giving an attacker the ability to send and read messages, see private data and more, the researcher said.

“An attacker would only need a victim to click on a website link,” he said.

On Twitter the situation was the same, only an attacker would be able to steal the session ID and get full control.

Input validation issues

The cross-site scripting bugs were all due to input validation issues. Additionally, a cross-site request forgery issue existed on the mobile version of MySpace that could be exploited to do things like upload and delete photos on a victim’s account or update a victim’s status, Goldshlager said. That vulnerability was fixed as well.

“MySpace has a security team in place that is wholly dedicated to combating these types of issues,” a spokesperson for the site told eWEEK, adding the problem was fixed quickly.

According to a spokesperson for Facebook, the site seeks to maintain a “strong relationship with security experts” and has created a form for researchers to use that it links to from its Help Center as well as the “White Hats” tab on the Facebook Security page.

Brian Prince eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved

Recent Posts

Apple, Google Mobile Ecosystems Should Be Investigated, CMA Told

CMA receives 'provisional recommendation' from independent inquiry that Apple,Google mobile ecosystem needs investigation

7 hours ago

Australia Rejects Elon Musk Claim About Social Media Ban For Under-16s

Government minister flatly rejects Elon Musk's “unsurprising” allegation that Australian government seeks control of Internet…

10 hours ago

Northvolt Files For Bankruptcy Protection In US

Northvolt files for Chapter 11 bankruptcy protection in the United States, and CEO and co-founder…

11 hours ago

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

1 day ago

Former Policy Boss At X, Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

1 day ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

1 day ago