Ok, Facebook Groups has a huge security flaw by which any group member can pretend to be anyone else in that group, and post in the group on behalf of that user. It is FATAL. I’ve reported to Facebook and I hope they should take immediate action for it.
I had disclosed it in details hoping that they will notice it and fix it quickly, and taking it down again. So if any Facebook official wants to know in details, drop me a mail to hasin_at_leevio_dot_com or better check today’s submitted bug reports with a “MASSIVE SECURITY FLAW” text inside it.
Peace.
*update: submitted this again to facebook.com via their whitehat program and someone named Alex contacted me. He asked me a few questions on how to reproduce the flaw and he said that they are looking into it.
20 replies on “Massive security flaw in Facebook and why should they fix it immediately before I take your girlfriend out to dinner tonight”
Hope they see it Because as far i understand, this vulnerability is a gold mine for hacker and spammers ! Love the 2nd solution.
The PoC is missing. You should have send them a PoC.
Sorry what is PoC? Proof-Of-Concept? Sorry this is a live bug! I’ve sent them detailed report of what it is and how to reproduce it and how it can be fatal
Hard to believe this kind of huge security flaw. But i like this line, ” who knows, I may take your secret crush out to dinner tonight pretending to be you” 😀 😀 😀
Kids use Facebook too. Do you have any?
it is “pwned”, as in owned, not pawned: http://www.urbandictionary.com/define.php?term=pwned
thank you mister urban dictionary.
great finding! FB has yet to a lot regardless trying to compete with google in search engine.
This type of Bugs are badly uses in so many way. Social Engineering is an art of Hacking. If this vulnerability really works, FB users are in risk right now. But, please, do not publish real Exploit.Just wait for FB reply.
Anyway, Congratulation. 😀
Make it public then it will get noticed
oh ya right, and then people like tinkertim come and starts calling me by name and you guys enjoy that sitting in the gallery, eh?
that stupid guy was right – who the fuck I am to care for the bug – and why should I.
facebook has a bug bounty program, why didn’t you use that? could have gotten paid
https://www.facebook.com/whitehat/
never even heard of that! i am just a mere photographer.
thanks and reported. not for a chance to get paid but to get it fixed asap 🙂
Good finding! I wonder how the big Facebook team overlooked it. And great work of you guys :).
ঠিক হওয়ার আগে আর হাসবেন না? 😛
Oops !! guys at facebook missed that one.
Btw, she doesn’t have facebook 😀