Facebook closes serious security hole

Social networking site Facebook has made it into the headlines with a serious security hole. A simple trick allowed users to view their friends' live chats as well as pending friend requests and message status, reported the TechCrunch blog. The hole, demonstrated in a video, appears to have been fixed rapidly, and Facebook's chat feature was disabled for "maintenance" reasons for some hours.

It was the very privacy features, which were recently expanded, that offered an opportunity for misuse. Facebook's privacy settings contain a preview function where users can see what their profile settings look like when viewed by their friends. While simulating their own profile as seen by one of their friends, users were able to access their friend's live chat sessions via the chat feature.

The H's associates at heise online were able to at least partially reproduce the flaw prior to the hole being completely closed. Although chats and pending friend requests were already protected against sniffing, Facebook still allowed the privacy previewers to see their friend's status bar including any pending friend requests, emails and messages. Facebook now appears to have closed the hole completely. "For a limited period of time, a bug permitted some users’ chat messages and pending friend requests to be made visible to their friends", admitted the company - often criticised for being "data hungry" - in a statement. Facebook said that its engineers temporarily disabled the chat function, fixed the problem and then re-enabled the chat features.

It is unclear how long this problem existed. One can only hope that the incident will prompt Facebook to refocus its security agenda towards investing in quality assurance rather than the pursuit of attackers; recently Facebook's head of security, Max Kelly, said that Facebook tends to focus on going after attackers and worry less about vulnerabilities.

(djwm)