[ UPDATE: Facebook has reversed itself and fixed this vulnerability ]
ZDNet.com reports:
The Register’s Dan Goodin has the scoop on an obvious security vulnerability that’s being ignored by the powers at Facebook.
The issue, as demonstrated by this proof-of-concept, shows how a social network application can be rigged to hijack a Facebook user’s session identification cookies, deliver pop-up messages or change the color of Facebook pages.
“With a little extra work, an attacker could probably do much more, including send and read messages from a user’s account, change privacy settings and add or delete Facebook friends,” according to the report.
When I tested the code while logged in to Facebook, it worked as advertised and proves conclusively that Facebook fails to sanitize the content of third-party applications. This exposes Facebook’s massive user base to a variety of hacker attacks.
Wanna know what other web worms are squirming through Facebook, My Space and More?