Facebook 'bug' enables account hijacking via third-party apps

No thanks to a bug in the authentication process, cybercriminals can hijack the online credentials of a person who logs in via his or her Facebook account.

 

Making matters worse is that Facebook is powerless to fix the bug since it is the responsibility of the third-party app maker, researcher Nir Goldshlager said.

 

"What does happen if the victim has an installed application (e.g. Skype or Dropbox)? Can a hacker still attack Facebook users? The answer to this question is a resounding yes. The attacker only needs to find a Site redirection/XSS on the Facebook owner app domain (that is, skype.com, dropbox.com, etc.)," Goldshlager said in a blog post.

 

He said many of today’s sites suffer from site redirection vulnerabilities.

 

Yet, he said Facebook is powerless when it comes to fixing this issue.

 

"In fact, the developer or owner of the app needs to take responsibility for these flaws in order to avoid the potentially pernicious site redirection attacks," he said.

 

A separate blog post by Bitdefender said logging into an application using the social network’s credentials "is like handing your house keys to people you barely know."

 

Bitdefender suggested that users keep their applications "to an absolute minimum" and not to authorize applications they do not use. — TJD, GMA News