Terrifying Facebook security flaw lets hacker access anyone’s page

Is Facebook secure? We questions the site’s security constantly, but no matter how many times evidence hints that the answer is a big fat “NO,” we keep coming back.

So there probably won’t be much fallout from the most recent Facebook security flaw discovery, even though Web application security specialist Nir Goldshlager figured how to hack into all of your Facebook pages. That’s right. Everyone. You. Me. Your grandma. Your high school friend who always posts uninformed political commentary.

Goldshlager investigated a weakness he found in Facebook’s OAuth system, and wrote about what the gaping security hole on his personal blog. In brief, he exploited an app authorization security flaw that easily gave him full access to Facebook user pages, even when users did not have installed apps on their account.

As Goldshlager described it, “there are built-in Applications in Facebook that users never need to accept.” So even if you studiously avoid giving third-party apps permission to access your account, Facebook’s pre-installed applications (like Facebook Messenger) exposed users to the same vulnerability.

After reporting the problem to Facebook, the company awarded him its “White Hat” for security contributions. It also promptly fixed the bug.

Goldshlager exposes security flaws for a living, so if you’re worried about your nosy aunt hacking her way into your Facebook account, these flaws are too hidden for the average Facebook user to figure out. But even semi-sophisticated hackers could find similar holes and use them to hunt for personal information in private messages, leading to identity theft or widespread malware installation.

While the security issue has been fixed, we can’t blame anyone who’s a bit shaken up by the privacy and security failures of social networks. So if all this freaks you out too much, check out our guide to deleting your Facebook permanently.

[photo credit: Nick Carter via Flickr]