Exclusive: New Facebook exploit hits the web

Facebook is the holder of more personal data than most people will want to admit or feel comfortable sharing, so when an exploit hits the popular service, users should take notice. The newest exploit attacks Facebook's "Upload via Email" function and allows the attacker to post status updates,videos, and images on its initial run. After the initial run, the exploit only allows the controlling party to upload photos.  

There are a couple websites out there currently trying to exploit this flaw but they all seem to require manual copy and pasting by the end user/victim. The social engineering of the exploit makes it unlikely that it will affect the masses but it still highlights a hole in Facebook's security.   

The exploit appears to be a low risk hole because it requires the end user to copy and paste the information into their browser. But if an individual can find a way to automate this exploit, it could pose a far bigger risk.  The exploit is not browser specific and users can protect themselves by not copying and pasting any sort of Java Script into their browser.

Neowin has intentionally not linked to any websites trying to exploit this flaw or to the code itself for obvious reasons.

Thanks for the tip Aditya

Update: Our resident coder expert Dave has figured out how to remove this exploit from your Facebook account. If your account has been hijacked, take the following steps: 1) Visit the Facebook "Upload via Email" page, 2) Click "Send me my upload email", 3) Click the "refresh your upload email" link.  This will reset your information and should mitigate the exploit on your account.  

Report a problem with article
Previous Story

Week-in-Review: November 26, 2010 - News Edition

Next Story

iOS hacks bring AirPlay to all apps and returns iPad orientation lock

20 Comments

Commenting is disabled on this article.

I've looked at the source code for the javascript, and I know what it does.
It gets the email addresses of all your Facebook friends and yourself, and puts it into a new text file on a server that the person who wrote it chooses.

He probrably has hundreds of text files with a new email address on each line break.
This script could be developed to have the names and countries in a csv (comma seperated values) text file, so it could fool the email mailing providers.

desbest said,
I've looked at the source code for the javascript, and I know what it does.
It gets the email addresses of all your Facebook friends and yourself, and puts it into a new text file on a server that the person who wrote it chooses.

He probrably has hundreds of text files with a new email address on each line break.
This script could be developed to have the names and countries in a csv (comma seperated values) text file, so it could fool the email mailing providers.


Nice thoughts of yours

why was my post deleted? becasue i told you stupid ****s that this is not an exploit? get real. this is so lame. just google rotating images javascript and you will find it. soooooo old.

Anything that gets as popular as Facebook (for what ever that is and I still can't figure out) will get nailed with crap like this.

Personally,
Facebook and Twitter and garbage sites like those, should be against the law!!

Oh the irony that a spampot posts suspicious content in a topic like this. (Which has been removed luckily)

I think what would make this all the more convincing for people is the fact that it's a script. I'm sure we've all seen the revolving image script. The average user would say "Ooh, cool!" and try it. The problem here would be the fact that the average user probably wouldn't know how to "proofread" the code and see that it's malicious.

Quite an interesting trick actually. I wonder if the end result is the images resulting or if it's completely bogus.

"The exploit appears to be a low risk hole because it requires the end user to copy and paste the information into their browser."

While I do completely agree that it should be low risk, it probably won't be because people are so stupid and copy and paste anything... Heck, just tell Facebook users it will give them a "Dislike" button and they will do anything!

People just don't understand only Facebook themselves can do that.

Mr aldo said,
"The exploit appears to be a low risk hole because it requires the end user to copy and paste the information into their browser."

While I do completely agree that it should be low risk, it probably won't be because people are so stupid and copy and paste anything... Heck, just tell Facebook users it will give them a "Dislike" button and they will do anything!

People just don't understand only Facebook themselves can do that.

+1, Or tell them it will put pretty ponies on their home page.

mquiny said,

+1, Or tell them it will put pretty ponies on their home page.


+1 for that one.
Or tell them that it'll win them a new iPad. People nowdays enter thier email and password on any website so thier contacts get spammed, becuae they're too damn lazy to change the password. I have literally sent step-by-step instructions on how to do it, and they just don't...

Eraknelo said,

+1 for that one.
Or tell them that it'll win them a new iPad. People nowdays enter thier email and password on any website so thier contacts get spammed, becuae they're too damn lazy to change the password. I have literally sent step-by-step instructions on how to do it, and they just don't...
Nice, you must know some pretty stupid people

mquiny said,

+1, Or tell them it will put pretty ponies on their home page.


I'm sorry, but I WILL risk my Facebook account for that feature, sir.

XeonBuilder said,

Tell them it turns their tractor into a corvette in farmville.... DONE!!!!

LOL!!!!!!!!!!!!!!!!!!!