Gestern berichtete Caschy über eine Sicherheitslücke im Facebook Seitenmanager, der Bilder direkt aus Privatnachrichten direkt auf die Pinnwand der Seite postete. Diese Lücke hat Facebook nun serverseitig geschlossen, es ist also kein Update der App erforderlich.
Facebook sieht den Fehler allerdings nicht als Sicherheits-Risiko, sondern spricht von einem Privatsphäre-Problem. Das mag zwar richtig sein, trotzdem sollte einem Unternehmen wie Facebook so etwas nicht passieren. Die Antwort von Facebook an Artem von Android Police, der auf die Lücke aufmerksam machte, lautet so:
To update, we had engineers working through most of the night (California time) on this and they deployed a server-side fix within hours of getting the report. This patch stops the problem for anyone using the app without them needing to update. We’re currently checking for any photos that were posted due to this bug and plan on taking them down once they’re confirmed.
When it comes to the timeframe, this issue was introduced after a server-side change about a week ago. We’ll certainly be performing a thorough review to investigate how all of this happened and help ensure that it doesn’t happen again.
Thanks for the feedback on the whitehat page; we’ve worked to raise awareness of it among security researchers, but we’ll look at taking more steps to make it easier to find for other users as well. There’s some overlap between security and privacy, and while this may not have been a vulnerability for an attacker to exploit, it’s certainly the sort of issue we’d want to know about. As the whitehat page indicates, we built it for reporting bugs „that could compromise the integrity of Facebook user data, circumvent the privacy protections of Facebook user data, or enable access to a system within the Facebook infrastructure“.
By the way, if you have any details on what avenues Joann used in trying to notify us of this, I’d definitely like to review those reports to understand why they weren’t picked up on sooner. We really appreciate her trying to get this fixed and want to ensure any future reports don’t get overlooked or delayed.
Thanks again for the heads-up,