This isn't really hacking Facebook... they're hacking the Moods app, which is made by HotOrNot.

Right, but many applications have access to information in your profile (at least, that's what it says every time you add an application). Couldn't such vulnerabilities feasibly lead to more serious problems in Facebook itself?

You're right, it might be possible to get an insecure application to give you API-accessible information about some other user (e.g., the application contains a page that spits out your entire profile on the screen, and you pass in your target's userid). That information is guarded by a user-specific session key, so the app would have to store each user's session key on the server (or have already cached the response) for it to work. A really insecure application could probably be coerced into making other API calls as well, like sending notifications or uploading photos.

I guess in that case Facebook might want to look in to providing some vulnerability testing tools to developers, or maybe running tests for them to find vulnerabilities. It's definitely a hard problem.

There've been some interesting articles on this topic in 2600 the past year or so. There was one (can't find it at the moment, will post a cite if I can dig it up) about viewing the information in sealed profiles and another about using an XSS attack to spoof friends request confirmations.

I don't recall much about the articles, but what I do recall are that, in each, the author noted that by the time he got the article written, the whole had been fixed.

Facebook is a big system, with a lot of possible holes, but it seems to be run by folks who care about security and respond well.

This isn't a facebook hack at all. It's a Moods application hack. Really, it's the application programmer's fault for not checking if the auth_token received corresponds to the fb_sig_user. James Hong's Pets application used to have the same problem, where you could sell other people's items to make money for your own pet. He just needed to validate his inputs...

And so do most amateurs web programmers.

Facebook is pretty secure. Its apps vary.

the moods app forgot to verify_sig on that request. i'm betting there are a lot of facebook apps like that.

I don't see why there would be a lot. Client libs usually take care of that. I don't know what these guys are doing here.

The client libs handle everything for you if you use fbml, since every request is proxied by facebook and has its own signature. If you use an iframe, like the Moods app and many other popular apps, requests go directly to your server, so you have to explicity include and validate a signature for each request.

It's still not terribly difficult, but most facebook app devs are trying to churn out apps and features so fast that there's no time for this kind of detail.

Web applications, especially amateurish ones, are insecure. I'm sure there are bigger sploits in FB itself.

Does this really surprise anyone?

When does security as an afterthought ever work?

quality in news is really decreasing