Security Engineer Joey Tyson Discovers Facebook Security Hole

Security Engineer Joey Tyson has discovered a new security hole in Facebook that allows a seemingly innocent web page steal Facebook user's private data.

In a private demonstration sent to Facebook, Joey showed the two behaviors of Facebook platform can be combined to steal data silently.

From Joey's Blog: #-Link-Snipped-#

In my proof-of-concept demonstration, I loaded a harmless-looking web page on a server external to Facebook. The page included code for an inline frame sized to be invisible to the user. This frame then loaded the login page for a Facebook application. If the user has already authorized an application, its login page will automatically forward to the application, and that’s exactly what I wanted to happen. I chose FarmVille for my demo, since it has a wide install base. Keep in mind that while FarmVille currently lists about 83 million monthly active users, the attack would have worked for anyone who has authorized the application, regardless of how long ago. The attack could also target multiple applications at once using multiple iframes, meaning nearly any of Facebook’s 400 million active users could have fallen prey.