A bug in Facebook’s login system lets cyber attackers discover the identity of a Facebook user. The system allows a hacker to match unknown email addresses with users’ first and last names, even when the user has configured his or her Facebook account to be private.
Scammers can exploit this leak by entering an email address in the Facebook sign-on page and then entering a random password. They can then see the full name and picture of the person associated with the Facebook account.
“Facebook users have no control over this, as this works even when you have set all privacy settings properly,” Atul Agarwal of Secfence Technologies wrote on a security site. “Harvesting this data is very easy, as it can be easily bypassed by using a bunch of proxies.”
Facebook said it is working on a fix.
Meanwhile, antivirus firm Kaspersky Lab discovered a Trojan Horse (a form of malware) that is attacking phones running the Google Android software in Russia. The malware appears to be a harmless media player. But once it is installed, the Trojan Horse sends text messages to premium-rate phone numbers without the user’s consent. That results in text message expenditures that users don’t discover until they get their monthly cell phone bills.
Mobile security firm Lookout described the malicious software as the first Trojan Horse developed exclusively for the Android platform; it said it would not affect Android users outside of Russian cell phone networks. On top of that, the app is not distributed in the Android Market. The default setting on Android phones only allows installations from the Android Market, and users who want to get apps from outside the Android Market have to explicitly approve that.
On top of that, Android software prompts users to confirm that the app in question truly has the permission to send text messages on the user’s behalf. In other words, there are plenty of red flags for users to notice with this Android malware.
[Photo credit: Flickr, James Grayson]