Facebook CEO’s Timeline Hacked, Protect your Privacy
A story broke earlier today regarding Mark Zuckerberg’s Facebook timeline getting hacked through a previously undisclosed vulnerability.
Protect your Privacy when using Social Media
The security researcher who identified the issue attempted to submit it to Facebook’s bug bounty program multiple times but was denied because Facebook was not able to validate the issue due to not being friends with the account used for demonstration.
The researcher decided that to get the attention he desired he would use the vulnerability to post on Facebook CEO Mark Zuckerberg’s timeline. This post was quickly removed but an image can be seen below.
A researcher says he tried to contact Facebook about a security flaw before using it to post to CEO Mark Zuckerberg’s page.
Shortly thereafter Facebook Security contacted the researcher requesting the full details of the bug. The researcher obliged and the vulnerability has since been patched. Unfortunately for the researcher, Facebook has decided that exploiting the vulnerability violated Facebook’s user agreement and as such has opted to not pay the reward for this bug.
While the technical details of this bug have not yet been published, the researcher did release a video demonstrating the hack. What the video shows is the “attacker” discovering the user ID of the “victim,” which is publicly available on graph.facebook.com.
Discovering a Facebook user ID through the publicly accessible graph.facebook.com.
The attacker begins to post a link on his own wall. However before posting he performs some actions which are mostly obscured from view but do appear to include modifying the source of the page. Upon posting, the link appears on the victim’s timeline as shown in the following image.
A researcher exploits a vulnerability in order to post content to any Facebook user’s page, including users that are not friends.
This is not the first vulnerability identified on Facebook and it surely won’t be the last. The minimum $500 payout for the bug bounty program ensures that the Facebook security team will continue to receive steady submissions.
How to Protect Yourself:
The prospect of hacking Facebook for more malicious reasons will continue to provide the fuel for hackers to identify vulnerabilities as well. With new attacks appearing regularly it is important that Facebook users understand how to best protect their accounts. SecureState has published several blogs on Facebook security and privacy, including account settings to secure your profile. Links to some of these publications are below.
Hacking Your Location With Facebook Places
Are You Over Sharing
The New Facebook Graph Search – How to Protect Your Privacy
Social Media Privacy Guides