WHID 2011-30: Facebook plugs gnarly authentication flaw Entry Title: WHID 2011-30: Facebook plugs gnarly authentication flaw WHID ID: 2011-30 Date Occurred: February 2, 2011 Attack Method: Content Spoofing Application Weakness: Insufficient Authentication Outcome: Leakage of Information Attacked Entity Field: Web 2.0 Attacked Entity Geography: Palo Alto, CA Incident Description: the vulnerability stems from a bug in one of Facebook¹s authentication mechanisms, Rui explained. The vulnerability enables the malicious website to impersonate any other websites to cheat Facebook, and obtain the same data access permissions on Facebook those websites receive. Bing.com by default has the permission to access any Facebook users' basic information such as name, gender, etc, so our malicious website is able to de-anonymize the users by impersonating Bing.com. In addition, due to business needs, there are many websites requesting more permissions, including accessing to a user's private data, and publishing content on Facebook on her behalf. Therefore, by impersonating those websites, our website can obtain the same permissions to steal the private data or post phishing messages on Facebook on the user's behalf. The exploit is generic, so we do not need to write an exploit for each Facebook app/website. The only parameter we need is the app ID of a Facebook app/website. Mass Attack: No Reference: http://www.theregister.co.uk/2011/02/02/facebook_plugs_authentication_flaw/ Attack Source Geography: Attacked System Technology: Facebook Additional Link: http://www.youtube.com/watch?v=chATOThshtY