Facebook vulnerability allowed silent webcam recording
Facebook has fixed a security vulnerability that could be exploited by an attacker to record video from a victim's webcam and then post it to their timeline without requesting their permission. The social network operator doesn't seem to have been in any great hurry – security researchers Aditya Gupta and Subho Halder say that they informed the company of the problem four months ago. The two are, however, happy with the outcome, as the reward paid out by Facebook for reporting the vulnerability proved to be significantly more than expected.
The researchers discovered that the video upload feature, which is implemented in Flash, was not properly protected against cross-site request forgery (CSRF) attacks. They developed a demo web page containing an embedded Flash applet – visiting the page displayed the video uploader, but, when clicked on, the uploader recorded a video with the visitor's webcam and posted it to their Facebook timeline without requesting their permission. The only requirement was that the user had to be logged into their Facebook account at the time.
The demo video shows the researchers actively clicking on the record button, but the attack could be extended to use clickjacking to get the user to start recording without their knowledge. As the two researchers report in an interview with Softpedia, Facebook initially maintained that the vulnerability was not particularly serious. It was only once the researchers posted a proof of concept video demonstrating exploitation of the vulnerability that the social network reassessed its position and reclassified the vulnerability as critical.
Just after Christmas, Gupta and Halder received the welcome news that they were to receive a $2,500 reward (in the form of credit on a White Hat debit card) as part of Facebook's bug bounty programme. The two researchers were surprised at the response, as generous as it was belated, "We were expecting a bounty of $500, because that is the usual amount Facebook pays to security researchers, unless it is a serious issue."