Privacy and security news for Facebook just keeps getting worse. No doubt,
thanks in part to its ubiquity, Facebook is quickly becoming the Microsoft of
social networking. The latest research shows that not only has certain user
information been made available by the site without warning, but additional
information can also be harvested with the use of simple clickjacking schemes.
Noted security consultant and researcher Nitesh Dhanjani has discovered that
Facebook has changed its policy regarding third-party applications. It used to
be that any app or external site would have to be given express permission by a
user to access any profile information. Now, according to Facebook spokesman
Simon Axten, Facebook is providing apps and services with "implicit
authorization" to access "publicly available information."
But Dhanjani's discoveries don't stop there. He told CNET that Facebook
accounts could easily be hijacked using clickjacking attacks, which lead users
to sites with malicious code and hide a Facebook login page behind other content,
such as embedded videos. Fellow researcher, Shlomi Narkolayev, chimed in, "Using
ClickJacking, I also could fool users to click whatever I want: adding me as
their friend, delete their account, and even open their camera and microphone."