Facebook vulnerability allowed "silent data harvesting"

Joey Tyson, aka theharmonyguy, has detailed a major security hole in Facebook platform “the technique allowed one to create a seemingly innocent web page that would allow a malicious website to silently access a user’s profile information, photos, and in some cases, messages and wall posts, with no action required on the user’s part.” Facebook […]

Joey Tyson, aka theharmonyguy, has detailed a major security hole in Facebook platform “the technique allowed one to create a seemingly innocent web page that would allow a malicious website to silently access a user’s profile information, photos, and in some cases, messages and wall posts, with no action required on the user’s part.” Facebook has now disabled the attack by modifying one of the exploited behaviors “Facebook has restricted the “next” parameter; it now only forwards to addresses for the application specified on the login page, preventing any appended session data from reaching the wrong destination. Since an authorized application already has API access, using return_session with that application will not add any new privileges.” “In my proof-of-concept demonstration, I loaded a harmless-looking web page on a server external to Facebook. The page included code for an inline frame sized to be invisible to the user. This frame then loaded the login page for a Facebook application. If the user has already authorized an application, its login page will automatically forward to the application, and that’s exactly what I wanted to happen. I chose FarmVille,” states Joey.

[Source]