Déjà Vu: White Hat Developer Saves Facebook Again

Fortunately for Facebook, developer and Web security expert Nir Goldshlager wears a white hat, and not a black one: For the second time in less than one month, Goldshlager alerted the social network about a potentially dangerous loophole that could have led to users’ account information being compromised.

We reported last month that Goldshlager detailed in a blog post how he experimented with adding different coding and characters to Facebook URLs and was able to create an application that disguised itself as another app that does not require users to accept it, Facebook Messenger, and gain access to users’ Facebook data.

A Facebook spokesperson told Business Insider after the February incident:

We applaud the security researcher who brought this issue to our attention and for responsibly reporting the bug to our white hat program. We worked with the team to make sure we understood the full scope of the vulnerability, which allowed us to fix it without any evidence that this bug was exploited in the wild. Due to the responsible reporting of this issue to Facebook, we have no evidence that users were impacted by this bug. We have provided a bounty to the researcher to thank him for his contribution to Facebook Security.

Goldshlager found a similar vulnerability, also tied to Facebook Messenger, and reported it to Facebook Security, again receiving a reward for his efforts. For those interested in the highly technical details, please see his blog post.

Facebook Security Policy Manager Frederic Wolens told MarketWatch:

It was a very similar bug (with a similar fact pattern) and, as you can see from the post, we were able to fix it almost immediately. We have provided bounties to over 200 researchers, and Mr. Goldshlager has reported multiple vulnerabilities to us in the past.

And Facebook said in a statement, as reported by MarketWatch:

We have no evidence that users were impacted by this bug. We have provided a bounty to the researcher to thank them for their contribution to Facebook Security.

Readers: Do these exposed vulnerabilities make you nervous about the security of your account information?

Image courtesy of Shutterstock.

Related Stories
Mediabistro Course

Blogging: Analytics, SEO, and Content

Blogging: Analytics, SEO, and ContentWork with the former marketing director at Conde Nast Digital to improve your search rankings, integrate social, and increase traffic to your blog! Starting November 5, Jim Hopkinson will teach you how to analyze KPIs, monetize your blog through ads, sponsorships, and affiliates, and leverage your blog toward a larger platform such as publishing, speaking, or consulting. Register now!