Skip to main content

Terrifying Facebook security flaw lets hacker access anyone’s page

facebook lockIs Facebook secure? We questions the site’s security constantly, but no matter how many times evidence hints that the answer is a big fat “NO,” we keep coming back.

So there probably won’t be much fallout from the most recent Facebook security flaw discovery, even though Web application security specialist Nir Goldshlager figured how to hack into all of your Facebook pages. That’s right. Everyone. You. Me. Your grandma. Your high school friend who always posts uninformed political commentary.

Goldshlager investigated a weakness he found in Facebook’s OAuth system, and wrote about what the gaping security hole on his personal blog. In brief, he exploited an app authorization security flaw that easily gave him full access to Facebook user pages, even when users did not have installed apps on their account.

fb security
Image used with permission by copyright holder

As Goldshlager described it, “there are built-in Applications in Facebook that users never need to accept.” So even if you studiously avoid giving third-party apps permission to access your account, Facebook’s pre-installed applications (like Facebook Messenger) exposed users to the same vulnerability.

After reporting the problem to Facebook, the company awarded him its “White Hat” for security contributions. It also promptly fixed the bug.

Goldshlager exposes security flaws for a living, so if you’re worried about your nosy aunt hacking her way into your Facebook account, these flaws are too hidden for the average Facebook user to figure out. But even semi-sophisticated hackers could find similar holes and use them to hunt for personal information in private messages, leading to identity theft or widespread malware installation.

While the security issue has been fixed, we can’t blame anyone who’s a bit shaken up by the privacy and security failures of social networks. So if all this freaks you out too much, check out our guide to deleting your Facebook permanently.

[photo credit: Nick Carter via Flickr]

Kate Knibbs
Former Digital Trends Contributor
Kate Knibbs is a writer from Chicago. She is very happy that her borderline-unhealthy Internet habits are rewarded with a…
Facebook says Apple didn’t let it tell users about App Store tax
facebook paid event image

Facebook claims Apple made it remove a note that informed users paying for an online event on iOS about the mandatory 30% App Store tax, Reuters reports.

While announcing its new paid online events feature, Facebook committed to a zero-fee policy allowing small businesses and creators to keep 100% of the revenue they generate -- except for if the user is paying on an iOS app. There, due to Apple’s mandatory in-app purchase tax, the social network said it planned to label online event ticket purchases with a message that read: “Apple takes 30% of this purchase.” On Android, the note says: "Facebook doesn't take a fee from this purchase."

Read more
Facebook removes nearly 800 QAnon-related groups, pages, hashtags, and ads
QAnon conspiracy theorist holds a sign

Facebook took down nearly 800 groups associated with the far-right conspiracy theory group QAnon on Wednesday, as well as more than 1,500 advertisements and 100 pages tied to the group in a move to restrict "violent acts."

In a blog post, Facebook said the action is part of a broader "Dangerous Individuals and Organizations" policy measure to remove and restrict content that has led to real-world violence. The policy will also impact militia groups and political protest organizations like Antifa.

Read more
Facebook now lets businesses charge for online events
facebook paid event image

Facebook is letting businesses charge money for live online events, which it says will help businesses stay afloat as the pandemic keeps customers away from storefronts.

With the new addition to the platform, page owners can host an event on Facebook and charge guests attendance fees.

Read more