New Threat Research: The Client/Server Relationship — A Match Made In Heaven 

Read Threat Research


Facebook Paid off $25,000 CSRF Vulnerability

A flaw found within was used to avoid CSRF parameters and trick a user into clicking on the malicious link. “This is possible because of a vulnerable endpoint which takes another given Facebook endpoint selected by the attacker along with the parameters and make a POST request to that endpoint after adding the fb_dtsg parameter. Also, this endpoint is located under the main domain which makes it easier for the attacker to trick his victims to visit the URL,” said experts who discovered the vulnerability. This flaw could have even allowed an attacker to delete the account of a targeted user by changing the email address or phone number associated with it, which could allow them to do whatever they wanted with the account.

Analyst Notes

Users should make sure their anti-virus software is up to date. When finished using a site, always make sure to log off and not just minimize the page. Do not save login ID or passwords within the browser. Scripting should also be disabled within a user’s browser.