Facebook has quietly fixed a vulnerability discovered recently by two student researchers that allowed malicious websites to access a Facebook user's private data without permission and post malicious links onto their profile.
Students Rui Wang and Zhou Li contacted security firm Sophos and told them the flaw they found made it possible for any web site to impersonate other sites which had been authorized to access users' data such as name, gender and date of birth. In other words, if a user has accessed any site - such as YouTube, or gaming sites and news sites -- and had given the site access to their Facebook profile, the potential was there for a malicious site to have access to their sensitive data. The researchers also found it was possible for the malicious site to pose as a legitimate web site and publish content on the visiting users' Facebook wall -- a common way malware is spread on the social network.
More: http://www.pcworld.com/article/218557/
Students Rui Wang and Zhou Li contacted security firm Sophos and told them the flaw they found made it possible for any web site to impersonate other sites which had been authorized to access users' data such as name, gender and date of birth. In other words, if a user has accessed any site - such as YouTube, or gaming sites and news sites -- and had given the site access to their Facebook profile, the potential was there for a malicious site to have access to their sensitive data. The researchers also found it was possible for the malicious site to pose as a legitimate web site and publish content on the visiting users' Facebook wall -- a common way malware is spread on the social network.
More: http://www.pcworld.com/article/218557/