A security bug reported on Facebook at the beginning of the year and allows an attacker to post comments on someone else's Timeline without permission, is still ten months after.
Last year, researcher Vivek Bansal disclosed the vulnerability to Facebook's security team, showing how access tokens for mobile apps, can be used to post on a third party's Timeline without necessary permission. (Note that an app cannot "post" text or links to a user's Timeline without "required permission from the account holder")
Vulnerability still exists ten months after (Video)
To indicate this error in Facebook, Bansal, received $ 2.000 fee and was inducted into the Hall of Fame of researchers, who identified seriously problems in the security mechanisms of the social networking platform. However, it seems that the vulnerability either came back in code changes, or someone forgot to patch it – with the first version being the dominant one.
Recently, Bansal followed the same script he used for the original bug demonstration and noticed that everything worked as if no changes had been made. One video που αναρτήθηκε στο YouTube (δείτε παρακάτω) την περασμένη Τρίτη έδειξε ότι η ευπάθεια ήταν ακόμη ενεργή. Όταν Bansal ερωτήθηκε αν δοκίμασε το σενάριο σε μια πιο πρόσφατη ημερομηνία, προκειμένου να εξακριβώσει εάν εξακολουθεί να να υπάρχει η ευπάθεια, εκείνος απάντησε λέγοντας ότι η πιο πρόσφατη essay that he did was on monday, and the damage was still present.
It's hard to believe that Facebook paid the researcher, and his technicians forgot to fix the vulnerability - though it's not impossible for that to happen. The most likely scenario, however, is that they forgot to re-examine the patch at a later time. This theory is reinforced by the fact that Bansal received an email from Facebook earlier this year informing him that the vulnerability had been fixed and that he was free to publish his findings. Check out the latest demo of the bug: