Facebook, Yahoo Fix Valuable $ecurity Hole$

[JMH]

Both Facebook and Yahoo! recently fixed security holes that let hackers hijack user accounts. Interestingly, access to methods for exploiting both of the flaws appears to have been sold by the same miscreant in the cybercrime underground.

According to Softpedia, Facebook has addressed a serious vulnerability after being notified by independent security researcher Sow Ching Shiong.

“The security hole allowed hackers to change the passwords of accounts they had compromised without knowing the old passwords. Whenever users change the password that protects their Facebook account, they’re required to enter the current password before they can set the new one. However, the expert found that cybercriminals could change a user’s password without knowing the old one by accessing the “https://www.facebook.com/hacked” URL, which automatically redirected to the compromised account recovery page.”

Facebook, Yahoo Fix Valuable $ecurity Hole$ ? Krebs on Security

 

[AceInfinity]

That's terrible... Sadly, mistakes like that on a website that interacts with an SQL database are really considered stupid mistakes in my opinion. There's no reason for a site to have that kind of a flaw, when it should have been really obvious to the developers originally (if they had known what they were doing on the security front). Either that "hacked" url was an SQL exploitation, or it was just url POST data that lead directly to a page without any kind of validation check (which would have been even worse in my opinion). Both are easily avoidable though. This would be more alarming for the people and specifically webmasters who have grasp of the concept of web based security.

When you are that big of a site, you can't keep all of the meager intermediate PHP programmers around because you're dealing with the private accounts of many word-wide. And the visibility of your website extends to many of the more intelligent cyber communities consequently.