14 DAY TRIAL // Microsoft security researchers have identified critical vulnerabilities in Facebook and Google Picase which led to account compromise and arbitrary code execution.
The vulnerability in Facebook was ironically introduced by the company's anti-clickjacking protection deployed earlier this year in response to the many scam employing the technique.
Clickjacking or user interface redressing is a type of attack where a rogue button is hidden using programming methods and positioned over an innocuous-looking element on a page.
The user believes that they are clicking on a safe element, when in reality they are performing an action which they didn't authorize.
This technique has been used a lot by Facebook survey scammers to trick users into liking and sharing their spam pages on the social network, promoting the company to develop counter-measures.
"A vulnerability exists in the way that Facebook.com had previously implemented protection against clickjacking attacks. An attacker could exploit this vulnerability to circumvent Facebook privacy settings and expose potentially sensitive user information. "An attacker who successfully exploited this vulnerability could take complete control of a user’s Facebook.com account and could perform any action on behalf of the user, such as read potentially sensitive data, change data, and delete contacts," Microsoft explained in its advisory.
The company security researchers reported the vulnerability to Facebook and it has been patched, so the security hole no longer presents any risks.
Microsoft security researchers also identified a critical arbitrary code execution in Google's Picasa. The vulnerability could have been exploited by tricking a victim to open a specially-crafted JPEG image in the program.
"An attacker who successfully exploited this vulnerability could gain the same user rights as the local user," Microsoft's advisory reads. As with the Facebook flaw, the vulnerability, identified as CVE-2011-2747, was reported to Google and was patched.