Everyone on Facebook owes Nir Goldshlager a beer. Or some Farmville cash, if he’s into that kind of thing. For the second time in as many months, the white hat hacker and apparent all-around good guy has discovered a major Facebook security flaw that allowed him to gain access to anyone’s account.
While most of us would probably take the opportunity to troll our friends or hack Colin Powell, Goldshlager instead alerted Facebook—both times.
Facebook fixed the hole “immediately” Goldshlager said. The company told Market Watch it wasn’t aware of any users whose accounts had been compromised as a result of the exploit.
“It was a very similar bug (with a similar fact pattern) and as you can see from the post we were able to fix it almost immediately,” a spokesman told Market Watch.
The hack targeted something Facebook calls OAuth, which is basically a tool developers use to access your account (it’s that big blue button you press whenever you say you’re willing to give an app access to your profile). Without OAuth, apps won’t run.
In his blog post, Goldshlager emphasized you didn’t necessarily need to have installed an app for the exploit to work: “I found a way in to get full permissions (read inbox, outbox, manage pages, manage ads, read private photos, videos, etc.) over the victim account even without any installed apps on the victim account.”
Goldshlager may not be in it entirely for the good karma. Facebook rewards good-guy hackers (who the company calls “researchers”) with bounties. The company won’t disclose how big these payoffs are, but it did tell Market Watch it’s dished out more than 200 over the years.
Photo by jakecaptive/Flickr