On Wed, Apr 15, 2009 at 9:14 AM, Kiran Jonnalagadda <[email protected]> wrote:
> Facebook allows an account to be logged in from only one location at a > time. How, then, could the vandalism have been carried out even when Nisha > was always in control of her account? This is the point where I suspect > Facebook's security vulnerability lies. > I guess this makes it pretty clear that the password was never compromised. More likely her facebook cookie was stolen through an XSS vulnerability (maybe in one of the third-party apps she has installed). This would allow certain operations to be done using the account but not things like changing the password. It's not unknown for hackers to post images that violate the TOS with the intent of getting the account disabled. As you pointed out, facebook doesn't seem to allow the same person to be logged in twice which should mean that when she logs in, previous cookies will be invalidated. But perhaps every time she logged in her cookie was stolen? Since she's still using the account, I'd say ask her to remove any suspicious facebook apps. Of course now her problem is getting back access to the deleted groups, not how it was hacked. (Third-party app security is difficult to get right. There are solutions like Google's Caja [1], but it's not yet widely adopted.) [1] http://code.google.com/p/google-caja/
