A security error reported to Facebook at the beginning of the year and allows an attacker to post comments on someone else's Timeline without permission, is still ten months after.
Last year, researcher Vivek Bansal disclosed the vulnerability to team of Facebook security, showing how access tokens for mobile apps can be used to post on a third party's Timeline without necessary permission. (Note that an app cannot "post" text or links to a user's Timeline without "required permission from the account holder")
Vulnerability still exists ten months after (Video)
To indicate this error in Facebook, Bansal, received $ 2.000 fee and was inducted into the Hall of Fame by researchers who identified serious problems with the security mechanisms of the social networking platform. However, it seems that the vulnerability has either been through code modifications, or someone has forgotten to fix it - with the first version being the predominant one.
Recently, Bansal followed the same script he used for the original bug demonstration and noticed that everything worked as if nothing had happened change. Ένα βίντεο που αναρτήθηκε στο YouTube (see below) last Tuesday showed that the vulnerability was still active. When Bansal was asked if he tested the script on a more recent date to determine if the vulnerability still existed, he responded by saying that the most recent test he did was on Monday, and the flaw was still present.
It's hard to believe that Facebook paid the researcher, and his technicians forgot to fix the vulnerability - though it's not impossible for that to happen. The most likely scenario, however, is that they forgot to re-examine the patch at a later time. This theory is reinforced by the fact that Bansal received an email from Facebook earlier this year informing him that the vulnerability had been fixed and that he was free to publish his findings. Check out the latest demo of the bug:
