Facebook is susceptible to certain types of attacks that could allow someone to hijack an account while a user is interacting with another Web site, a security researcher warned on Monday.
Reseacher Nitesh Dhanjani also said a design flaw in Facebook is granting third-party apps permission to access user profile data without express approval from users.
Facebook used to display a pop-up window warning users when they added any third-party app that doing so would authorize the app to get access to user profile information. This allowed users to change their mind before adding the app. The company has changed its policy and now some apps can choose to use a new implicit authorization feature that does not warn Facebook users that a third-party app is trying to request their data, Dhanjani said.
"This allows Facebook to gain increased adoption of third-party apps, which can translate to revenue," he said, adding that any warning would deter some users from adding new apps.
"The only information apps can access without first showing the 'Allow' screen is publicly available information (the limited set of info that includes name, profile picture, gender, networks, friend list, and pages) and information set to be visible to everyone on the Internet," Facebook spokesman Simon Axten said.
In separate but related research, Dhanjani and Israeli security researcher Shlomi Narkolayev said attackers could use clickjacking attacks to hijack Facebook accounts by tricking users into clicking on sites hiding malicious code. A Web site that looks like an e-commerce site or that shows videos could hide a Facebook log-in page behind it so that when a user clicks on the site to play a video, for instance, the user's account is opened instead behind the scenes, without the user realizing it.
"Using ClickJacking I also could fool users to click whatever I want: adding me as their friend, delete their account, and even open their camera and microphone using flash (Older versions then 10.x), or install Facebook applications that post their Web camera and microphone every time they connected to Facebook," Narkolayev wrote on his blog. He demonstrates an example of an attack in a video on his site and acknowledges that other sites are vulnerable to this type of attack, as well.
Twitter was hit by a series of clickjacking attacks last year.
Axten said the attack examples were standard clickjacking and not unique to Facebook.
"We're building some additional protections for these types of attacks and reminding people to be cautious of any message, post, or link they find on Facebook or elsewhere on the Internet that looks suspicious," Axten said in an e-mail.
Facebook has advanced systems to detect and block the posting and sending of malicious links on Facebook, Axten said. "If we learn of a site that's using clickjacking against our users, we add it to our blacklist so it can't be spread through the network," he said. "We also work with third parties to get malicious sites added to browser blacklists or taken down completely."
This isn't the first research done into clickjacking threats on Facebook. A self-proclaimed white hat hacker who goes by the name "theharmonyguy" wrote about it on his blog last October.
Updated at 10:33 p.m. PST with additional information from Facebook.