It’s a good thing that web developer and online security expert Nir Goldschlager is on the side of the good guys. For the second time in a month, Goldschlager has found a dangerous loophole in Facebook’s messaging system that could’ve allowed any savvy hacker access to a users’ information.
Goldschlager said, “Even if the victim has never allowed any application in his Facebook account, I could still get full permission on his account via Facebook Messenger app_id.”
Last month, Goldschlager found a dangerous glitch in the system that allowed him to tinker with Facebook URLs and access any users’ information through Facebook’s app system, OAuth, without them even having to approve an app request. It was reported that Goldshlager has again found a very similar loophole on the site and reported it.
“It was a very similar bug (with a similar fact pattern) and, as you can see from the post, we were able to fix it almost immediately. We have provided bounties to over 200 researchers, and Mr. Goldshlager has reported multiple vulnerabilities to us in the past, said Facebook Security Policy Manager Frederic Wolens, speaking to MarketWatch. Wolens further stated that Facebook believes no users were impacted by the bug.
Facebook operates on a very democratic basis, in that it listens to (and even pays) its users who are smart enough to figure out errors in their system. This should serve as a warning to everyone. Never put anything on Facebook in the first place that you wouldn’t mind the whole world seeing!