Facebook Bug Allowed Attackers to Take Over Accounts on Other Sites

H

HardOCP News

[H] News
Joined
Dec 31, 1969
Messages
0
This "bug" seems like a pretty damn big oversight on Facebook's part. I can' t believe it is as simple as creating a Facebook profile with the victim's email address, adding a malicious email as the secondary, and then confirm the account using the bad email address.

Bitdefender has identified a flaw in Facebook's account registration process which indirectly led to situations where attackers could take over user profiles on sites where Facebook Social Login feature was enabled. The vulnerability could be used if an attacker discovered that a victim had an email address which he used on a regular basis, but had not registered on Facebook to create an account.
 
It does seem they borked that one badly.

I rarely go on facebook these days, I hate the social login info grab.

Enabled one last night upgrading something I did not intended to, that I need to get rid of.
 
I have one of the older gmail email addresses comprised of first initial, middle initial, and last name @gmail.com. I occasionally get people thinking they have my email address who then sign me up for their onstar, photobooth pictures, facebook, reunion parties, etc. I've had to use their sites to reset the password and then figure out how to cancel the account.

Oh, I also got a job posting from Monster.com for a Secret Service gunsmith position. I didn't even know there were such things...
 
Who would be so stupid to register to anything using the social media account? Oh wait...
 
Seemed to happen to me quite awhile ago. Didn't use my old 1996 yahoo address for facebook and someone made an account using it even though they didn't have my yahoo password. So I just took it back and removed the other address and left it as a fake/blank profile.
 
Only used it on sites I literally could not care about..... which was lke 2 or something.
 
B00nie said:
Who would be so stupid to register to anything using the social media account? Oh wait...
Click to expand...

Hx28x8H.gif
 
I think I use gmail's login for a single site (and youtube) and that gmail account is strictly for spam...if someone want's to get into that one site, go for it. It's not vital and to the outside world, it's not obviously me (though I'm sure one could put 1+1 together). Otherwise, I always create local logins. I use keepass to manage all of my passwords.
 
I always crack up when I see people posting political comments to news etc. using their real facebook account (using their own name and picture). I mean how dumb can people be?
 
Well, some people don't mind using their names. I mean, this newer generation seem to hate privacy.
 
You must log in or register to reply here.
Back
Top