Facebook has had its share of problems again lately. Last week it was a fast moving worm, this week it’s a bug that allows someone to delete all of a users’ friends without permission. The flaw was reported Wednesday, but could still be exploited over 48 hours later. Proof-of-concept code is now publicly available. “A malicious hacker could combine an exploit for this bug with spam or even a self-copying worm code to wreak havoc on the social network,” IDG says.
The cross-site request forgery (CSRF) bug that makes this possible is the same one reported earlier that exposed user birthdays and other sensitive data even when they were designated private. Facebook representatives said engineers had closed the hole, but that turned out to be premature. The flaw could still be exploited to control the site’s “like” feature, a button users click to endorse ads and other types of content.