SOURCE: BitDefender


May 11, 2011 14:42 ET

BitDefender Offers Insights Into Recently Discovered Facebook Vulnerability

Security Provider Advises Users on How to Stay Protected Against Future Facebook Vulnerabilities

BUCHAREST, ROMANIA--(Marketwire - May 11, 2011) - Yesterday Symantec discovered a security vulnerability that affected the way third party programs, such as games and other applications, accessed user data and information. According to BitDefender®, an award-winning provider of innovative internet security solutions, the entire issue is related to OAUTH, the secure authorization protocol, and the use of some deprecated parameters by different applications which are still not updating from OAUTH to its latest version, OAUTH2.0.

From this vulnerability, third parties, such as advertisers can get hold of access tokens, which open Facebook users' account information (such as basic information, profiles, pictures) and will sometimes give them the ability to perform different actions in the user's name.

"At the current time, it is unclear whether there actually was a data breach or not. Symantec discovered a security issue and notified Facebook accordingly," commented Catalin Cosoi, Head of the BitDefender Online Threats Lab. "This could mean that the issue was proactively discovered and Facebook fixed it before anyone lost any data. On the other hand, it could mean that it is a known vulnerability in the underground or unethical world and users' private data has been leaking for some time now."

Facebook has solved this issue as soon as possible, but this episode teaches all users two main lessons: (1) applications should have switched to the new authorization mechanism as soon as possible and (2) if any data was leaked, there's not much to be done now, since it is lost for good.

Although it should not be the case here, information extracted from social media can be easily converted into directed attacks, like phishing, highly social engineered spam messages and possibly even identity theft. Users should pay extra attention in the following months when it comes to all messages received and be very careful when asked to perform different actions, even if the messages/requests come from a trusted source.

"This information can be illicitly used by marketers and advertisers in order to better profile their users and to serve ads based on interests and views. As always, a good way for Facebook users to invalidate their current access tokens is for them to change their passwords," advised Cosoi.

About BitDefender®
BitDefender is the creator of one of the industry's fastest and most effective lines of internationally certified security software. Since its inception in 2001, BitDefender has continued to raise the bar and set new standards in proactive threat prevention. Every day, BitDefender protects tens of millions of home and corporate users across the globe -- giving them the peace of mind of knowing that their digital experiences will be secure. BitDefender security solutions are distributed by a global network of value-added distribution and reseller partners in more than 100 countries worldwide. More information about BitDefender and its products are available at the company's security solutions press room.

Additionally, BitDefender's Malware City provides background and the latest updates on security threats helping users stay informed in the everyday battle against malware.

Contact Information