Security 10808 Published by

Facebook has fixed a security vulnerability that could be exploited by an attacker to record video from a victim's webcam and then post it to their timeline without requesting their permission.



From MajorGeeks:
The social network operator doesn't seem to have been in any great hurry – security researchers Aditya Gupta and Subho Halder say that they informed the company of the problem four months ago. The two are, however, happy with the outcome, as the reward paid out by Facebook for reporting the vulnerability proved to be significantly more than expected.

The researchers discovered that the video upload feature, which is implemented in Flash, was not properly protected against cross-site request forgery (CSRF) attacks. They developed a demo web page containing an embedded Flash applet – visiting the page displayed the video uploader, but, when clicked on, the uploader recorded a video with the visitor's webcam and posted it to their Facebook timeline without requesting their permission. The only requirement was that the user had to be logged into their Facebook account at the time.
  Facebook vulnerability allowed silent webcam recording