An error better safetys reported on Facebook earlier this year and allows an attacker to publish comments on someone else's Timeline, without permission, is still ten months after.
Last year, researcher Vivek Bansal reported the vulnerability to Facebook's security team, showing that access tokens for mobile apps could be used to post to third-party Timeline without the necessary permission. (Note that an application may not "post" text or links to a user's Timeline without the "required permission from the account holder")
Η ευπάθεια εξακολουθεί να υπάρχει δέκα μήνες μετά (Video)
To indicate this error in Facebook, Bansal, received $ 2.000 fee and was inducted into the Hall of Fame by researchers who identified serious problems with the security mechanisms of the social networking platform. However, it seems that the vulnerability has either been through code modifications, or someone has forgotten to fix it - with the first version being the predominant one.
Recently, Bansal followed the same script he used for the original bug demonstration and noticed that everything worked as if no changes had been made. A video posted on YouTube (see below) last Tuesday showed that the vulnerability was still active. When Bansal was asked if he tested the script on a more recent date to determine if the vulnerability still existed, he responded by saying that the most recent test he did was on Monday, and the flaw was still present.
It's hard to believe that Facebook paid the researcher, and his technicians forgot to fix the vulnerability - though it's not impossible for that to happen. The most likely scenario, however, is that they forgot to re-examine the patch at a later time. Η θεωρία αυτή ενισχύεται, από το γεγονός ότι Bansal έλαβε ένα Email από το Facebook στην αρχή του έτους, πληροφορώντας τον ότι η ευπάθεια είχε επιδιορθωθεί και ήταν ελεύθερος να δημοσιεύσει τα ευρήματά του. Δείτε την πρόσφατη επίδειξη του bug: