A security error reported to Facebook at the beginning of the year and allows an attacker to publish comments on someone else's Timeline, without permission, is still ten months after.
Last year, researcher Vivek Bansal disclosed the vulnerability to team ασφάλειας του Facebook, παρουσιάζοντας πως access tokens για mobile apps, μπορούν να χρησιμοποιηθούν, για να δημοσιεύσει κάποιος στο Τimeline τρίτων χωρίς απαραίτητη άδεια. (Να σημειωθεί ότι μια εφαρμογή δεν μπορεί να “δημοσιεύσει” κείμενο ή συνδέσμους στο Τimeline ενός χρήστη χωρίς την “απαιτούμενη άδεια από τον κάτοχο του λογαριασμού”)
Vulnerability still exists ten months after (Video)
To indicate this error in Facebook, Bansal, received $ 2.000 fee and was inducted into the Hall of Fame by researchers who identified serious problems with the security mechanisms of the social networking platform. However, it seems that the vulnerability has either been through code modifications, or someone has forgotten to fix it - with the first version being the predominant one.
Recently, Bansal followed the same script he used for the initial demo of the bug and noticed that everything worked as if nothing had changed. A video posted on YouTube (see below) last Tuesday showed that the vulnerability was still active. When Bansal was asked if he tested the script at a more recent date to determine if the vulnerability still exists, he replied that the most recent test he did was on Monday, and the fault was still present.
It's hard to believe that Facebook paid the researcher, and his technicians forgot to fix the vulnerability - though it's not impossible for that to happen. The most likely scenario, however, is that they forgot to re-examine the patch at a later time. This theory is reinforced by the fact that Bansal received an email from Facebook earlier this year informing him that the vulnerability had been fixed and that he was free to publish his findings. Check out the latest demo of the bug: