Facebook has fixed a security problem that allowed malicious web sites to access personal user information without explicit permission.
The flaw was bought to the attention of security firm Sophos by student researchers Rui Wang and Zhou Li.
Graham Cluley, senior technology consultant at Sophos, said that the security lapse could let malware spread between users, taking personal data as it goes by impersonating a legitimate site that already has the permission to take information.
"According to Wang and Li, it was possible for any web site to impersonate other sites which had been authorised to access user data, such as name, gender and date of birth," he said.
"Furthermore, the researchers found a way to publish content on the visiting users' Facebook walls under the guise of legitimate web sites, a potential way to spread malware and phishing attacks."
Cluley experimented with the flaw himself, but was initially unable to mirror what he had seen in a video provided by Wang and Li.
He suggested that this was owing to the rigorous settings he had applied to his Facebook account, which may suggest that the social networking site is offering adequate protection for the flaw.
Eventually Cluley was able to mimic the correct account conditions and watch the page become infected.
"It was then successful, and able to extract my name and email address, and post an 'evil' link seemingly via the app," he said.
Fortunately, the students informed only Facebook and Cluley and not the wider world, which could have led to the exploit being used by malicious groups.
Cluley, who is an outspoken critic of Facebook's security practices, acknowledged that the social site's security team "responded promptly, and should be applauded for fixing the vulnerability rapidly once they were informed about it".
However, he added that the complexity of Facebook makes it likely that similar threats will be uncovered, and urged users always to consider how best to protect their personal information.
"Clearly Facebook's web site is a complex piece of software, and it is almost inevitable that vulnerabilities and bugs will be found from time to time," he explained.
"The risk is compounded by the fact that there is so much sensitive personal info about users being held by the site, potentially putting many people at risk."
Return to security news headlines
View Security News Archive