Maybe with all the constant redesigns and swapping of features, the occasional bug is to be expected. But a bug uncovered by TechCrunch Europe today turned out to be a gaping security hole. The bug allowed users to view the live chat logs of any of their friends on the site.
The trick relied on Facebook's profile preview feature in the security settings. When changing security, users can preview their profile to see what information is available to the outside world. There is also a box on the preview where a specific user can be entered so you can see how your profile looks to that person. By just typing in the name of a friend, their chat log can be pulled up. Yes, a privacy feature actually created an exploit.
TechCrunch alerted Facebook, who then pushed out an update to fix the error. In a statement Facebook said the bug was accessed by, " by manipulating the “preview my profile” feature." We prefer to think of it as using the feature, but that's just semantics. We'll hand it to Facebook, they did fix it quickly, but it shouldn't have happened in the first place.
Hit the jump for TechCrunch's video of the exploit in action.
The attack proceeds in a routine way with unsuspecting online banking customers being led to a phishing page designed to extract their account details. After these gullible visitors are through with the first page, instead of being sent to another phishing page or to the genuine website, they are lead to a fake live-chat support window. The fraudster at the other end, posing as a customer support personnel, then tries to extract more account details from them through social engineering.
According to RSA, the fake live chat support window is powered by Jabber, an open source instant messaging protocol. “While at this point RSA has witnessed only a single instance of this attack, we are recommending extra vigilance to operators of all online banking websites and other websites where user credentials are targeted,” RSA wrote on its blog.