Security Protection – Harry Waldron MVP Rotating Header Image

Facebook – Post-by-email vulnerability may let unauthorized users post

The Next Web warns on a new vulnerability that may allow unwanted posts by email:

http://thenextweb.com/facebook/2012/09/26/security-flaw-lets-hacker-post-facebook-group/

QUOTE: Three Facebook users, Hasin Hayder, Rifat Nabi, and Abu Ashraf Masnun, have discovered a security hole in the social network that could lead to a potentially big privacy problem. The “post-by-email” feature in Facebook Groups reportedly lets an attacker post photos or plain text posts as anyone that is a member of a given group. There are a few requirements, however, if I wanted to spoof you: I would need a local SMTP server (or a server side script) and I would need to know the email address connected to your Facebook account.

Here is how it works. The attacker just has to compose a new email, change the “From:” field in the mail header and replace it with the victim’s email address, and then send the email to the group email address. The exploit works because Facebook does not employ a verification system to check who the email is coming from (according to the trio); the service simply believes the victim is sending the email and posts it as that Facebook user to the group’s Wall on the victim’s behalf. I find that unlikely, but it worked for them.

Comments are closed.