Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Facebook Bug Lets Hackers Delete Friends

timothy posted more than 4 years ago | from the friends-don't-let-friends dept.

Bug 89

swandives writes "There's lot of talk about Facebook and privacy at the moment, but a bug in Facebook's website lets hackers delete Facebook friends without permission. Steven Abbagnaro, a student from Marist College in Poughkeepsie, New York, reported the flaw, writing proof-of-concept code that scrapes publicly available data from users' Facebook pages and deletes all of their friends, one by one. The victim first has to click on a malicious link while logged into Facebook. Abbagnaro's code exploits the same underlying flaw that was first reported by Alert Logic security analyst M.J. Keith who discovered a cross-site request forgery bug, where the website doesn't properly check code sent by users' browsers to ensure that they were authorized to make changes on the site."

Sorry! There are no comments related to the filter you selected.

GOOD I'VE GOT A FEW FRIENDS I DON'T NEED ANYMORE (2, Funny)

Anonymous Coward | more than 4 years ago | (#32321422)

How soon can I get them out of the picture, if you know what I mean.

Re:GOOD I'VE GOT A FEW FRIENDS I DON'T NEED ANYMOR (3, Funny)

MichaelSmith (789609) | more than 4 years ago | (#32321432)

Thats one hell of a bug. I didn't know you could do that much damage with php.

Re:GOOD I'VE GOT A FEW FRIENDS I DON'T NEED ANYMOR (0)

Anonymous Coward | more than 4 years ago | (#32321494)

You can do anything with PHP.

Re:GOOD I'VE GOT A FEW FRIENDS I DON'T NEED ANYMOR (1, Informative)

Anonymous Coward | more than 4 years ago | (#32321504)

It's not PHP's fudemental flaw that deletes your facebook friends, it's the programmer's bad authentification design.

Re:GOOD I'VE GOT A FEW FRIENDS I DON'T NEED ANYMOR (4, Funny)

Thanshin (1188877) | more than 4 years ago | (#32321486)

How soon can I get them out of the picture, if you know what I mean.

Sorry but I don't think the hack goes as far as photoshopping your pictures to erase your friends from them.

Re:GOOD I'VE GOT A FEW FRIENDS I DON'T NEED ANYMOR (2, Funny)

zalas (682627) | more than 4 years ago | (#32324952)

I wonder how long before someone writes an app that connects Facebook friend deletion events with Photoshop's Content-aware Fill feature... They could name the app "Stalin".

actually there is a way to do that (0)

Anonymous Coward | more than 4 years ago | (#32321642)

you need to look up

http://en.wikipedia.org/wiki/Seam_carving

there is an online app, http://rsizr.com/

and also gimp support http://liquidrescale.wikidot.com/

there should be some really cool videos http://www.google.com.au/search?q=seam+carving&tbs=vid:1

This is not a bug (5, Funny)

Anonymous Coward | more than 4 years ago | (#32321428)

"It's a feature."

Re:This is not a bug (2, Insightful)

tuomoks (246421) | more than 4 years ago | (#32322090)

Everything today is "a feature". Real tired to hear these "problems" - not really problems but laziness, ignorance, whatever by developers / designers! Yes, the base, the standards, the tools, and so on are flawed but nothing says the systems have to be coded that way, allowing all the security and other problems. I have tried a long time to defend the developers - it wasn't their problem that that their tools, toys, systems, etc were bad but after so long - anyone anymore creating systems with these flaws is to blame!

This is really getting out of hand - why would anyone build systems which allow these problems, cross-site without checking, whatever - on purpose? Sorry, after 30+ years designing / creating safe systems for global mission critical operations, public safety, etc - I just can't understand!! Yes - sometimes it means fighting the management and even customer but why would anyone do it - every time it comes back haunting you, badly! What has happened to separation of presentation, processing, authentication, authorization, etc?? The basic rules in safe computing! Or did your vendor licensing book forget to tell you about the bad and ugly world outside the door? If so - why not start thinking yourself?

Raising false hopes (5, Funny)

Thanshin (1188877) | more than 4 years ago | (#32321440)

In case you didn't RTFA, you can only delete the link between your facebook accounts, not the friends themselves.

And so dies our intricate plan to befriend our enemies and erase them from existance.

Re:Raising false hopes (5, Informative)

MichaelSmith (789609) | more than 4 years ago | (#32321460)

They're a bunch of spoil sports:

5/11/2010 – Facebook notified of vulnerability
5/13/2010 – Work begins with Facebook to patch flaw.
5/14/2010 – Facebook confirms flaw is patched.

5/24/2010 – Post on slashdot.

Re:Raising false hopes (5, Funny)

Thanshin (1188877) | more than 4 years ago | (#32321510)

They're a bunch of spoil sports:
5/11/2010 - Facebook notified of vulnerability
5/13/2010 - Work begins with Facebook to patch flaw.
5/14/2010 - Facebook confirms flaw is patched.

5/24/2010 - Post on slashdot.

5/28/2010 - Dupe post on Slashdot.
6/15/2010 - Trupe post on Slashdot.
6/15/2010 - AskSlashdot question about whether dupe+1 = trupe or redupe. Links to original post.
6/15/2010 - Slashdot is slashdotted, creating a singular paradox.
5/24/2010 - The end of the world as we know it.

Re:Raising false hopes (0, Flamebait)

JohnHegarty (453016) | more than 4 years ago | (#32321690)

12/21/2012 - The end of the world as we know it.

^ FYP

Re:Raising false hopes (0)

Anonymous Coward | more than 4 years ago | (#32321986)

5/24/2010 - The end of the world as we know it.

... and I feel fine.

Re:Raising false hopes (2, Funny)

Zebaulon (534793) | more than 4 years ago | (#32322742)

5/28/2010 - Dupe post on Slashdot.
6/15/2010 - Trupe post on Slashdot.
6/15/2010 - AskSlashdot question about whether dupe+1 = trupe or redupe. Links to original post.
6/15/2010 - Slashdot is slashdotted, creating a singular paradox.
5/24/2010 - The end of the world as we know it.

And I feel fine.

Re:Raising false hopes (1)

Hatta (162192) | more than 4 years ago | (#32323508)

5/28/2010 - Dupe post on Slashdot.
6/15/2010 - Trupe post on Slashdot.

If "dupe" derives from "duplicate", shouldn't we derive "tripe" from "triplicate"?

Re:Raising false hopes (1)

Thanshin (1188877) | more than 4 years ago | (#32323996)

If "dupe" derives from "duplicate", shouldn't we derive "tripe" from "triplicate"?

Whatever you do, don't AskSlashdot about that, linking to the original article.

I don't think I'm the prophet of the apocalypse, but you can never be sure.

So THAT'S Why I Don't Have Any Friends on Facebook (3, Funny)

Anonymous Coward | more than 4 years ago | (#32321452)

It was ... the hackers ... yes, that's it, it was the hackers that must have made everyone defriend me.

It's not a bug, it's a feature (0, Redundant)

floschi (1713560) | more than 4 years ago | (#32321454)

Imho the easiest way to get rid of facebook ;-)

Social networking sucks (5, Insightful)

asherlev (2499) | more than 4 years ago | (#32321474)

I deleted my Facebook account a week or so ago, and I was, at the time, hoping that diaspora would end up being something besides vaporware. After a week without it, though, I find myself pleased with my lack of knowledge about what people I didn't like in high school had for dinner.

Re:Social networking sucks (3, Insightful)

AmonTheMetalhead (1277044) | more than 4 years ago | (#32321556)

Why did you befriend them if you don't like them?

Re:Social networking sucks (4, Funny)

StuartHankins (1020819) | more than 4 years ago | (#32322472)

They were going to give him a wedgie if he didn't add them.

Re:Social networking sucks (0)

Anonymous Coward | more than 4 years ago | (#32322554)

That's one of the strange things about many Facebook users. They see "suggestions" and click to "friend" them. I've found that I've gotten several friend requests from rather distant family that I either don't really know (and don't really want to know) or don't like. I know that I popped up for them as a suggestion when they "friended" my wife and she popped up as a suggestion to them when they "friended" her mother. I've seen the same thing with some school acquaintances. I've learned to either click ignore on those requests or, if I think they may whine to my wife about it, click accept but put them into a group (list) that doesn't have any access to see anything. Some people even add as many friends as they can so they can use them as accomplices in those silly games (fortunately I block all those game requests).

Re:Social networking sucks (0)

Anonymous Coward | more than 4 years ago | (#32323718)

Keeping friends close, and enemies closer? Just saying........

Re:Social networking sucks (3, Insightful)

ClintJCL (264898) | more than 4 years ago | (#32321776)

Blaming facebook for your friend choices. Classy.

Re:Social networking sucks (4, Insightful)

sakdoctor (1087155) | more than 4 years ago | (#32322116)

You're missing the point because that isn't the reality of using facebook.

What actually happens is that when you first signed up, you naively used your real name. Then loads of people from your past, who you couldn't give two shits about, inexplicably add you.
As a new user you aren't going to press ignore, so you confirm everyone.

In the default mode, your front page is now full of the most verbose idiots literally broadcasting what they had for dinner.

Finally you delete your account, because facebook is a horrible ad ridden, malware invested fad, and it's dying. Or at least becoming a zombie.

Re:Social networking sucks (2, Interesting)

adamofgreyskull (640712) | more than 4 years ago | (#32323604)

You're missing the point because that isn't the reality of using facebook.

In the default mode, your front page is now full of the most verbose idiots literally broadcasting what they had for dinner.

No. I don't think he was missing the point. You can remove anyone and any application from your "feed". If you really think the people, who you added as friends, are "verbose idiots" and they are literally broadcasting what they had for dinner, then why not just remove them? Or you could just not add them in the first place? You have the choice to cease being friends with people or to not become friends with them, just as you do in real life. If you felt obligated to add them as a new user and are now scared to remove them, then it sucks to be you. If you befriended someone in real life and they kept ringing you up to tell you that they just bought some new fish and that they were about to eat McDonalds, then go and see a movie, would you sell up and move to a shack in the woods?

Finally you delete your account, because facebook is a horrible ad ridden, malware invested fad, and it's dying. Or at least becoming a zombie.

"Ad ridden"? Not noticed. There are no, or very few, obnoxious ads on there that I've seen. The ones that I have seen are text ads with no/very small pictures and all seem to be vaguely relevant and unobtrusive, and you even have the option to click on specific ads if you think they're inappropriate, or irrelevant etc. (I forget the exact options) to get rid of them. As for malware, again, not that I've noticed.

Your main gripe would seem to be that Facebook is a "social networking" site and that you have no interest in being social, nor in networking. The second gripe regarding "malware" is either imaginary, or a product of your befriending of mouth-breathers...who you don't like. As for the "ad ridden" part...that's either made up, or ad-block is removing all the ads for me. (inb4 YHBT)

Re:Social networking sucks (1, Interesting)

Anonymous Coward | more than 4 years ago | (#32324422)

The second gripe regarding "malware" is either imaginary, or a product of your befriending of mouth-breathers...who you don't like.

During the peak of the Facebook app craze, I came upon an application that I decided not to add because the EULA sounded even more dodgy than usual Facebook apps go. The license text was seemingly copied from somewhere else and slapped onto the web app regardless of the context. I felt smug when I read the news [net-security.org] that the application vendor was banned for distributing malware disguised as the full version of their bait Facebook app.

Re:Social networking sucks (1)

BrokenHalo (565198) | more than 4 years ago | (#32325774)

Your main gripe would seem to be that Facebook is a "social networking" site and that you have no interest in being social, nor in networking.

In my case, that is exactly and literally true. I have a limited number of friends in "meatspace" who are sufficient for me to maintain a status of human being, and that's the way I like it. I have no interest in being prodded or poked as a substitute for genuine interaction.

[Dons curmudgeonly hat] There was a time (not so long ago in my memory, but probably prior to the birth of most readers here) when communication between individuals across continents involved handwritten missives, sometimes stained with coffee, wine, whisky or tears. It is these idiosyncrasies that I miss, as there is no form of electronic communication that can possibly replace them.

Re:Social networking sucks (1)

ClintJCL (264898) | more than 4 years ago | (#32330532)

I don't think it was the communication you missed. A message is a message regardless of medium. Books are not the smell and feel of the pages; music is not the sound of a needle on a record. You miss your old-fashioned aesthetic.

Re:Social networking sucks (1)

BrokenHalo (565198) | more than 4 years ago | (#32345696)

A message is a message regardless of medium... You miss your old-fashioned aesthetic.

Nonsense. Evocation is as much a part of communication as the black and white text, regardless of the fact that it is essentially non-verbal. Otherwise nobody would bother to paint paintings or write poetry.

Of course, if you have never received a letter any more personal than a final demand from your bank manager, I wouldn't expect you to understand. But you have to agree that a poke from a facebook "friend" can never mean more than "I remember your name occasionally".

Re:Social networking sucks (1)

ClintJCL (264898) | more than 4 years ago | (#32347674)

First off, saying a message is a message regardless of the medium does not in any way, shape, or form, imply that no one would paint or write a poem. I'm not sure how you got from point a to point b there.

Second off, nobody on Facebook pokes! I've heard of it happening, but for the most part, it's a strawman for people like you to attack. I have 450 friends and have been on for about 4 yrs. A few cute girls have been poked by a few guys who weren't their friend. That's it. Nobody I've ever spoken to has been poked by a friend they actual know. So go ahead and pretend like what I said is "Nobody should paint, pokes rule." But that's not what I said, and if that's the best response you have, you're just fooling yourself.

I do wonder how people stay in touch with people who change their email address. Not everyone emails their whole addressbook to say they changed email. But the funny thing is - with a social networking site, you can contact that person even after losing their email. I'd rather not lose touch with friends over technical laziness. But hey, some people are so snobby that they would.

Re:Social networking sucks (1)

BrokenHalo (565198) | more than 4 years ago | (#32357582)

First off, saying a message is a message regardless of the medium does not in any way, shape, or form, imply that no one would paint or write a poem. I'm not sure how you got from point a to point b there.

A clue from my post: Evocation is as much a part of communication as the black and white text.

Also:
nobody on Facebook pokes! I've heard of it happening, but for the most part, it's a strawman for people like you to attack.

They do indeed poke. I know many who (sadly) do so all the time. (I dont, but then I don't use Facebook.) Just because you and your associates don't does not make my point a straw man argument, since I am not misrepresenting anyone's point of view.

I do wonder how people stay in touch with people who change their email address. Not everyone emails their whole addressbook to say they changed email.

Why not? It isn't exactly a big effort.

Re:Social networking sucks (1)

ClintJCL (264898) | more than 4 years ago | (#32360210)

Because they don't. The average person doesn't tell anyone when they change their email address. The average person is disorganized and does not follow due diligence.

Re:Social networking sucks (-1)

Anonymous Coward | more than 4 years ago | (#32327216)

Thank you facebook fanboy or shill.

o. I don't think he was missing the point. You can remove anyone and any application from your "feed". If you really think the people, who you added as friends, are "verbose idiots" and they are literally broadcasting what they had for dinner, then why not just remove them?

My perspective (and one I have discussed with others) leads to this common timeline:
1a) Person joins not quite sure what facebook is (this is much less common now)-but was the norm 4 years ago.
1b) Person hears about basic features (like being like a classmates.com + event store + photo sharing + pages/groups) and i) some of these are "obviously" useful to a wide range of people (like photos) ii) A vague thought about many of the features such as groups/fan pages/and finding old connections is very appealing and seems useful... Since the cost of entry is nearly 0 and requires no CC number... there is little reason not to try

2) The user either a) enjoys the app/ad services b) on some continuum finds them irritating and annoying (this is a substantial number), a minority of these worry about the privacy concerns

3) They find that the "social" connections value promised by facebook is really not as fulfilling as their initial imagination led them to believe. The photo sharing is nice (despite technical inferiorities...their friends use it) (and might be the one and only thing that would keep them from leaving). If they don't like viewing drunk photos, it is likely these people will just stop using facebook.

(And go fuck yourself about no ad-infestations on FB... so many pages and 3rd party apps use graphics that are designed to feign main site UI elements or display UI elements in a misleading way)

The point here is that I'm arguing that a lot of people join facebook because of peer-pressure, or because they genuinely thought it would be cool/useful (a gut feeling), and then later a substantial percentage of them decide that the *entire* idea and its execution in Facebook Site+App land is either plain crap.. or, but just as problematically for facebook, not really engaging and useful.. it's just *meh*.

People just have a tendency to *think* it would be awesome to reconnect with a bunch of people.. they don't all just friend to show off.
But then 2 things are realized:
1) A number of people you lost touch with...there was a reason... you didn't hate them, but they just were not your type
2) Facebook actually does a very shitty job of doing anything to connect people that want to be connected but are separated by distance (the photo sharing being about the only really decent thing).

So you cull all your non-friends... you are left with: 1) your close local friends/family who you see in person so often that facebook is a bit useless. You just shoot them a text or email. 2) family at a long distance that you see occassionally but really have no reason to be "constantly connected" online--and may in fact be uncomfortable with 3) close family/friends at a long distance
3) is probably the most compelling group to keep you on facebook from a utilitarian standpoint. In fact, I would hypothesize these days the size of (3) for an individual can be used to predict their activity and retention on facebook. But then facebook doesn't provide a replacement for IM chat (puhleeze), Skype/Voip/teleconf, so they barely have a "killer" framework for these people.

At that point, it is entirely reasonable to just drop facebook altogether rather than selectively delete some friends, since you're not that enamored with the whole environment anymore.

Really, the only reason I keep a facebook account(s) is as one of my personal timewasters. When I started college back in 2004, yes I used facebook for its original purpose back then (and it was substantially more "walled garden").. But now facebook has very little to offer me as a serious communication tool. I have family/friends on there, and some of them and me have a bunch of joke accounts and we just screw around... Nothing so glorious... trolling groups, creating nonsense pages, creating groups, waiting for people to join, and then trolling them (we try to raise the bar above the basic abortion/immigration/gun control stuff into more "out there" stuff). Sometimes creating original content for "fake" product and fan pages. Just stuff to ridicule advertising and marketing in general.

400 million users eh. Considering that I still have about 40 personas, and my friend about the same really leads me to question that figure. I'm not a spammer, and they are extremely successful, I'm assuming 40 acct/principal is pretty low in the spamming world.

Re:Social networking sucks (1)

ClintJCL (264898) | more than 4 years ago | (#32330576)

Meh. I don't want to individually email my parents about my details. I don't have that kind of time for them. I make one effort for all people, and whoever wants to hear about it can. And I know a lot of people. I can't keep up with them individually. I forget who I need to talk to. In fact, if it weren't for facebook, I would actually have to maintain a text file listing who I need to talk to. I mean, I already use gmail groups to track my friends [all friends, party friend, hangout friends, geek friends]. Not everyone falls out of touch because they suck -- sometimes it's actually a damn tragedy because we didn't have email and easy ways of getting in touch back in high school and college. I mean, it's not like I can't filter on keyword. I eliminate the football talk. Not interested.

Re:Social networking sucks (0)

Anonymous Coward | more than 4 years ago | (#32344864)

Meanwhile, I don't want to have to filter through all the irrelevant minutiae of the lives of everyone I know simply to keep up to date on the stuff that matters. People who use Facebook as a way to avoid having to contact specific people about specific things are being lazy and rude. If you want me to know something, you should tell me it directly (yes, you can use Facebook for that, but you can also use email, the phone, IM or all manner of other means). If you can't be bothered to do that, then clearly we are not really friends.

Re:Social networking sucks (1)

ClintJCL (264898) | more than 4 years ago | (#32344924)

Too self-centered to allow your friends to contact you automatically, huh? Singing telegrams only? Sounds like a great strategy.

Re:Social networking sucks (1)

AmberBlackCat (829689) | more than 4 years ago | (#32329126)

It's not even so scary to remove somebody from your friends list. It doesn't even tell them. The only way they'd find out is if they:

1. were actually paying attention to you

2. noticed there weren't any posts from you for a while and

3. cared enough to go to your page and noticed the "add as friend" button is back.

Given that there's probably 600 other people on their list, step 1 is a stretch. If they don't even like you and only added you because they remember your name, step 2 and 3 are a stretch.

Re:Social networking sucks (1)

ClintJCL (264898) | more than 4 years ago | (#32331042)

I use Facebook Friend Checker :)

Re:Social networking sucks (2, Insightful)

Bakkster (1529253) | more than 4 years ago | (#32323618)

PEBKAC

Re:Social networking sucks (1)

bill_mcgonigle (4333) | more than 4 years ago | (#32352962)

As a new user you aren't going to press ignore, so you confirm everyone.

Wait, who's the idiot again?

I only have a couple hundred friends on FB but they're all people I know and like.

Frankly, my friends with 800+ friends - I could never manage that many status updates.

Re:Social networking sucks (4, Insightful)

Fnkmaster (89084) | more than 4 years ago | (#32322016)

Just to give you a word of support - ignore the people saying it's your fault for who you accepted as a friend. The problem is that it's easy to say "yes, this person is my friend", even if they are somebody marginal who you never particularly cared for (it's easy to click "Ignore" for evil ex-girlfriends and the real assholes from high school). But it's very hard to rethink that and unfriend them in such a public forum later on, and have to deal with awkward questions about why you unfriended so-and-so. However, that is what Facebook made the "hide this person's updates" feature for - when somebody isn't egregiously awful enough to unfriend, but you just don't want to see their bullshit updates anymore.

In any case, I didn't actually delete my Facebook account, but I have cleared out any information but the absolute basics. And I began an experiment by avoiding logging into Facebook for a week. I found that I rapidly reverted to visiting other websites and finding other things online to fill my down time at work.

I believe the reason Facebook is so addictive is the feed mechanism. It fills our psychological need for gossip and trivial sorts of information about friends. However, like many addictive things, I think too much of a "good" thing (and by good thing, I mean it's fun, enjoyable, makes us feel connected) is no longer a good thing. While I want to know when old friends go back to grad school, get engaged, married, or have their first kids, I don't really want to hear somebody's snarky comments about their workplace, read about their lost cell phone, hear about how they just bought an iPad and it's changed their lives, or read about their drunken escapades.

So the point - I agree with you, and I think we are both going to be happier, with cleaner, fresher, less cluttered minds for turning our backs on this inane distracting chatter. Saying "I'm Facebook friends with them" has become synonymous with "they are somebody I know but don't really give enough of a shit about to keep up with in real life".

Re:Social networking sucks (1)

BrokenHalo (565198) | more than 4 years ago | (#32325924)

Saying "I'm Facebook friends with them" has become synonymous with "they are somebody I know but don't really give enough of a shit about to keep up with in real life".

Well said. Couldn't have put it better myself. Wouldn't go down well with Facebook addicts though, but there's nothing we can do about that.

Re:Social networking sucks (1)

228e2 (934443) | more than 4 years ago | (#32323022)

You deleted your facebook account a week ago in hopes that a startup social network that isnt slated to go live until Sept 2010 would alleviate your facebook problems?

Re:Social networking sucks (1)

Bakkster (1529253) | more than 4 years ago | (#32323712)

A poor craftsmen blames his tools.

What I had for Dinner (0)

Anonymous Coward | more than 4 years ago | (#32333604)

Ah, Ha! Found you!

Lasagne!!!!

Patched already (4, Informative)

wannabgeek (323414) | more than 4 years ago | (#32321500)

The CSRF bug page in the summary says that facebook confirmed that it's patched already. And the actual hacker's page [prominentsecurity.com] says that he found if he does a little more (delete a few more parameters as well as the "post_form_id"), the CSRF resurfaces.

Anyway, he posted an update saying fb patched this one now (22 May)..

a self-copying worm code (3, Interesting)

bl8n8r (649187) | more than 4 years ago | (#32321508)

The article seems to be directed at facebook, but it sounds to me like there needs to be a browser or OS exploit first in order to work: "combine an exploit for this bug with spam or even a self-copying worm code". I'm not a facebook user (get off my lawn), but a lot of XSS flaws are browser specific and if there is a general browser exploit going on, this could affect more websites than facebook. TFA just sounds a little misdirected to me.

Re: Targeting Lead Example Site (1)

TaoPhoenix (980487) | more than 4 years ago | (#32321676)

As long as an Article is properly written, I don't mind if one lead case example of a flaw is used to get people's notice. "Flaw allows people to delete Facebook friends" will wake up more people than "missing parameter bug found in certain browsers".

I'm right on that borderline of a modestly aware of these issues, so when one surfaces that's "important to the masses" I like having a tagline in my mind to explain it with. I admit I ignore a lot of Linux kernel reports etc. My attitude to Linux is "it sorta is what it sorta is". The standards of my knowledge are far lower than Windows where I have to support other folks.

Re:a self-copying worm code (1)

wannabgeek (323414) | more than 4 years ago | (#32321896)

RTFA - It is not XSS. It is XSRF. And it is not browser specific since cross-posting to a different URL is inherent property of forms and hyperlinks. Websites have to do something proactive to prevent XSRF like setting a hidden field in the request that serves the form and validating the field when it receives the post data. Facebook had the required code, but was allowing the post to succeed when the field was completely omitted.

Re:a self-copying worm code (0)

Anonymous Coward | more than 4 years ago | (#32322036)

"but most of all, Samy is my hero."

Re:a self-copying worm code (2, Insightful)

tokul (682258) | more than 4 years ago | (#32322736)

lot of XSS flaws are browser specific and if there is a general browser exploit going on, this could affect more websites than facebook

It is not XSS, but CSRF. Cross-site request forgery. Such exploits are designed to exploid the way site processes user inputs. If site uses custom forms or request fields, exploit will work only on this site and in most of the cases it is not specific to some browser.

And since Facebook only notifies you of "good" new (2, Insightful)

ickleberry (864871) | more than 4 years ago | (#32321564)

It's hard to tell if your friends have been affected by this 'bug'. If someone unfriends you then you might never know, yet when you add a new one it's all over everyone else's page

Re:And since Facebook only notifies you of "good" (1)

ClintJCL (264898) | more than 4 years ago | (#32321894)

That's so people can delete people without being overcome by guilt. MySpace was exactly the same. Pretty much every site is. But there's a Greasemonkey script you can use, Facebook Friend Checker, if you want to know about such things.

Re:And since Facebook only notifies you of "good" (1)

nedlohs (1335013) | more than 4 years ago | (#32322024)

You only feel guilt when someone knows you did something wrong*, not just when you do something wrong*?

I hope "don't want to make other people feel bad" would be a better description.

* Not that unfriending someone on a website is "wrong" in the first place, but that's already being implied by using the word "guilt".

Re:And since Facebook only notifies you of "good" (0)

Anonymous Coward | more than 4 years ago | (#32322698)

One more reason to use the AntiSocial Facebook app:

http://apps.facebook.com/antisocialnetworking/index.php

Re:And since Facebook only notifies you of "good" (1)

BrokenHalo (565198) | more than 4 years ago | (#32326000)

One more reason to use the AntiSocial Facebook app: http://apps.facebook.com/antisocialnetworking/index.php [facebook.com]

For those of us who don't have Facebook accounts, please explain.

At last an easy way to... (2, Insightful)

jimwormold (1451913) | more than 4 years ago | (#32321650)

... delete an account from facebook!

Hey, wait a minute... (3, Funny)

wilder_card (774631) | more than 4 years ago | (#32321812)

Hackers have friends???

They are friends not hackers (0)

Anonymous Coward | more than 4 years ago | (#32321816)

Friends let friends delete friends from Facebook.

Bug condition: (2, Interesting)

Anci3nt of Days (1615945) | more than 4 years ago | (#32321880)

After the bug deletes all your friends... Tom is added.

He was feeling all left out when everyone left myspace.

New Friends with Benefits definition.... (1)

realsilly (186931) | more than 4 years ago | (#32321908)

Now that's is what I call a Friend with Benefit.

Hurr durrr (1)

Yamata no Orochi (1626135) | more than 4 years ago | (#32321924)

The victim first has to click on a malicious link while logged into Facebook.

I won't be sinking investment capital into the new countermeasures just yet. This is the same survival-of-the-least-retarded that was in effect when all the computer resource whores stopped running antivirus apps in the first place.

haha (1)

ClintJCL (264898) | more than 4 years ago | (#32322136)

Uh... I didn't use my real name. And I ignore people I want to ignore. And I can filter statuses on keywords.

You need to grow a pair and learn to properly use systems. Facebook is bigger than ever, and it certainly isn't dying. And if you're seeing ads, I question why you don't take the 1 minute to install AdBlock, but take 1 minute to complain about ads on facebook. You're just a whiny baby as AFAIK.

Re:haha (0)

Anonymous Coward | more than 4 years ago | (#32323046)

AdBlock? You assume everyone is using Firefox. A lot of people don't because Firefox sucks.

Re:haha (1)

ClintJCL (264898) | more than 4 years ago | (#32323126)

Firefox does suck, but there's an AdBlock equivalent for Chrome. I don't exactly have a lot of sympathy for the IE crowd... But you can simply edit your etc/hosts file to nullify the majority of ads anyway. I just think someone saying "this site is full of ads haha it's not l33t" is pretty lame. Ads are a separate problem. Any large platform is going to use them. It's not really a Facebook issue. Hell, I got a lot more spam with MySpace than Facebook - because adblock doesn't block fake webcam slut private messages.

Re:haha (0)

Anonymous Coward | more than 4 years ago | (#32323460)

What about Safari and Opera?

P.S.: fuck the IE crowd.

Re:haha (1)

ClintJCL (264898) | more than 4 years ago | (#32323504)

I know too little about Safari and Opera to comment :)

Re:haha (1)

zach_the_lizard (1317619) | more than 4 years ago | (#32323744)

The hosts file covers them too, as well as anything else that uses the net.

Re:haha (1)

ClintJCL (264898) | more than 4 years ago | (#32323770)

Of course... That's what I *should* have said! :)

Re:haha (0)

Anonymous Coward | more than 4 years ago | (#32324084)

Is there a hosts file in Mac OS X?

Re:haha (0)

Anonymous Coward | more than 4 years ago | (#32324806)

Of course there is - it's UNIX. Duh.

Re:haha (0)

Anonymous Coward | more than 4 years ago | (#32325318)

Opera has a built in adblock. A google search will give you a file to install to get the same filter as adblocks easy lite USA filter uses. Only problem is it doesnt remove spans or frams so it doesnt look as clean as adblock does....

Can we name the bug? (2, Funny)

Yvan256 (722131) | more than 4 years ago | (#32322154)

May we suggest the name "KipDrordy" for the bug?

Weird FB Redirect (1)

seven of five (578993) | more than 4 years ago | (#32322250)

Somewhat OT, but yesterday I took a look at FB and was redirected to this myspace page. Not myspace.com, but someone's actual page. This was around noon yesterday and lasted a couple hours. Oddly, this page is not in my firefox history, but instead shows up as myspace.com. I live in Chicago & have ATT DSL. Any clues???

Re:Weird FB Redirect (1)

Ash-Fox (726320) | more than 4 years ago | (#32323360)

I live in Chicago & have ATT DSL. Any clues???

Your first clue is: An orange ball.

Oh man hackers! (0)

deathtopaulw (1032050) | more than 4 years ago | (#32322340)

We have also received reports that this exploit can be used to: delete all the user's files! and mess up their desktop really bad!

HACKERS DO NOT WORK THAT WAY.

Muuaahhhh hahhhh hahhhh! (0)

Anonymous Coward | more than 4 years ago | (#32322384)

All your face are belong to us!

No Mother-in-law (3, Insightful)

ubrgeek (679399) | more than 4 years ago | (#32322618)

I didn't delete you as a friend. And now the system won't let me add you back. Damn those evil, evil hackers!

still waiting (1)

jDeepbeep (913892) | more than 4 years ago | (#32323048)

Wake me up when a FB exploit is discovered that actually removes all the data I ever put into their site, and genuinely deletes my account.

Facebug? (1)

gweihir (88907) | more than 4 years ago | (#32323654)

Do I care? Not really....

Re:Facebug? (0)

Anonymous Coward | more than 4 years ago | (#32332558)

You're too cool to care about Facebook? You must be pretty cool.

What friends? (0)

Anonymous Coward | more than 4 years ago | (#32323684)

At least now I have an excuse available after I purge my Friends list...

AHA!! (1)

DRMShill (1157993) | more than 4 years ago | (#32324102)

So that's why my ex girlfriend deleted me off her page. Umm... yeah that has to be it.

Let me be the first to say that... (1)

broknstrngz (1616893) | more than 4 years ago | (#32324466)

... You have 0 Friends.
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?