Jeff and .NET

The .NET musings of Jeff Putz

Sponsors

News

My Sites

Archives

Facebook flaw ignored: Chat system not secure

Well, despite getting some leads on who to contact after my previous post, Facebook has otherwise ignored me. I even sent a message Mark Z. just for fun, and he (or someone who monitors his account) wrote back and indicated he would pass along the info to the right people.

But they never did write back, so I'm just going to spill it here. To reproduce the flaw in the chat system, do this:

  • Use Adium on a Mac and have it connect to your Facebook account.
  • On the same network, login to Facebook via a Web browser from a different account. In this situation, I'd be on Adium while my fiance would be on her Vista computer surfing Facebook in Firefox.
  • Check the buddy list in Adium, you'll see your own as well as my fiance's friends in the list. Messages they send to her come to me as well. And I can reply impersonating her.
Now imagine doing this on a larger network at a library or airport or something. I'd say this is pretty broken.

Comments

stefan.sedich said:

WOW Amazing any ideas what is causing this to happen?

# January 18, 2009 9:40 PM

Jeff said:

Beats me. I suppose I could look more into it, but I'm not on Facebook's payroll. If I had to guess, it would seem like they somehow use the external IP (on the router) as some kind of authentication piece. I just can't imagine they'd do anything that stupid. I don't know anything about what Adium is doing either.

# January 18, 2009 10:02 PM

stefan.sedich said:

Yeah wierd I was going to try it but do not have a mac. Very very wierd have you replicated on different machines or anything?

(I know you are'nt on the payroll hehe), curiosity would get the best of me though :P.

Interesting though.

# January 18, 2009 11:37 PM

Jeff said:

Adium will show the not-my-friends in my buddy list on either of my Macs on the network.

# January 18, 2009 11:39 PM

Matt said:

Good job spilling the beans - sometimes these companies are too difficult to contact and that benefits them.

# January 20, 2009 12:29 PM
Leave a Comment

(required) 

(required) 

(optional)

(required)