Here’s a rather amusing “oops” that came to light in the form of a security hole. The company Face.com, who is in the middle of being acquired by Facebook, found itself in a precarious position via a programming error that allowed for account hijacks to be possible on Twitter and Facebooks sites via the KLIK mobile application. And to think we were just discussing issues like this on the Liquidmatrix podcast this last week.
From Infosecurity Magazine:
“Face.com essentially allowed anyone to hijack a KLIK user’s Facebook and Twitter accounts to get access to photos and social graph (which enables ‘face prints’), even if that information isn’t public”, Soltani wrote in a blog.
The vulnerability enabled an attacker to hijack the user’s Facebook and Twitter accounts and post updates and Tweets as that user, he warned.
“Face.com was storing Facebook/Twitter OAUTH tokens on their servers insecurely, allowing them to be queried for *any user* without restriction.
Any user? Um, wow. That’s a bit of a mess up.
The problem in question has since been rectified.
Source: Article Link
(Image used under CC from Amadeus Varadi Hellequin)