Facebook is the holder of more personal data than most people will want to admit or feel comfortable sharing, so when an exploit hits the popular service, users should take notice. The newest exploit attacks Facebook's "Upload via Email" function and allows the attacker to post status updates,videos, and images on its initial run. After the initial run, the exploit only allows the controlling party to upload photos.
There are a couple websites out there currently trying to exploit this flaw but they all seem to require manual copy and pasting by the end user/victim. The social engineering of the exploit makes it unlikely that it will affect the masses but it still highlights a hole in Facebook's security.
The exploit appears to be a low risk hole because it requires the end user to copy and paste the information into their browser. But if an individual can find a way to automate this exploit, it could pose a far bigger risk. The exploit is not browser specific and users can protect themselves by not copying and pasting any sort of Java Script into their browser.
Neowin has intentionally not linked to any websites trying to exploit this flaw or to the code itself for obvious reasons.
Thanks for the tip Aditya
Update: Our resident coder expert Dave has figured out how to remove this exploit from your Facebook account. If your account has been hijacked, take the following steps: 1) Visit the Facebook "Upload via Email" page, 2) Click "Send me my upload email", 3) Click the "refresh your upload email" link. This will reset your information and should mitigate the exploit on your account.
20 Comments - Add comment