First Twitter and now Facebook: A researcher today began a round of daily disclosures of serious vulnerabilities in popular Facebook applications.The researcher, who goes by "theharmonyguy," plans to disclose multiple cross-site scripting (XSS) flaws he discovered in various third-party Facebook applications this month, though he may not do so every day. He says he found major security holes in several of Facebook's top 10 most popular applications.
Today's bugs include XSSes in FunSpace, which has more than 8 million users; SuperPoke, which has 2 million users; SocialToo, which has nearly 2,000 users; and YellowPages.ca, which has nearly 1,200 users. FunSpace, SuperPoke, and SocialToo have been patched, but YellowPages.ca has not.
The problem, he says, lays in Facebook's API -- problem that has been well-documented by other researchers, as well. The API gives the application developer full access to a Facebook member's profile when a user runs that application.
Full report here.
netizens left a footprint.