Hackers can harm Facebook users' computers (illustration)
Who hacked my Facebook account?
How does one make a career from breaking into websites? Ask Rafel Ivgi and Nir Goldshlager, who discover security breaches and fix them. Their latest discovery: A Facebook application breach
Rafel Ivgi, 22, and Nir Goldshlager, 23, have built a magnificent career for themselves from something which could hurt any computer user: Discovering website breaches.
Although they have never officially studied the field, they now work at the Citadel consulting firm as security experts. They recently uncovered a security breach in the Facebook social network, through which hackers can reach the databases of the network's applications and invade users' privacy.
This isn't the first time the young hackers have discovered breaches in popular websites. Each of them has an impressive resume of uncovering breaches to well-known websites, including Gmail – Google's email service – and the ICQ instate messaging program.
Their career began at an early age, when they specialized in surfing websites and discovering breaches. As good citizens, they informed the companies in order to protect the users.
This is essentially how Goldshlager began working at a computers company. At the age of 18 he hacked a website containing sensitive information and called the company operating it to report the problem.
"Two days later, the company's CEO telephoned me, invited me to a meeting and offered me the job of the person responsible for information security at the company," he says.
Before joining Citadel, he worked in two other information security companies. During his free time between jobs or after working hours, he located security breaches in several of the world's most popular websites, like Yahoo and Lycos' email services.
His current role at the company is attempting to locate security breaches in websites belonging to the firm's clients. "When I discover a breach I explain to the programmers what has to be fixed and how to do it," he says.
So how does one become a breach explorer without studying the field? Goldshlager says he joined forums and chat groups discussing the issue and studied it on his own during his junior high school years.
"The response is mostly positive. I don’t publicize detailed information about the breach on the Web to avoid other people abusing it. In most cases, these are serious companies which invest in security. The Yahoo and Gmail breaches were fixed within a day."
Ivgi, Citadel's technological manager, also has an impressive resume of discovering breaches. His successful operations include uncovering breaches allowing hackers to infiltrate computers through the Acrobat Reader program and the Internet Explorer browser.
He began engaging in security at the age of 12, and by the age of 16 he had already published dozens of articles on the Web dealing with the issue. At 17 he began working at the Finjan security solutions company.
About a year ago, he uncovered a breach in Facebook's photo uploading system, which allowed hackers to take over users' computers by remote control. He says he did not receive a response from Facebook although the breach had been fixed.
The two men's latest discovery is an SQL injection attack on Facebook's applications. We approached the social network with information on the breach, but the company did not respond and the breach hasn't been fixed.
Facebook's weak spot
Although the breach does not provide access to Facebook's database, where users' details are kept, the applications themselves collect information on the surfers. The social network members usually do not hesitate to provide personal information, like their email addresses, in order to use a certain application. This information is exposed to hackers who can then harm the users' computers."Whoever abuses this breach could pull out data from certain applications' information bank, erase existing data, change the information and infect users with viruses," Goldshlager and Ivgi explain. "This breach could be one of the sources of viruses spread through Facebook."
Citadel's security experts found another weak spot on Facebook: Cross site request forger (CSRF). Each Facebook user may receive a link to a site which will essentially take over his or her account. The link can be distributed on forums, chats or email messages.
After entering the link, the message's sender (the hacker) will automatically be invited to join the addressee's list of friends, will receive full access to his or her Facebook account and will be able to change its details, send messages on behalf of this person, etc. The only thing the hacker won't be able to do is to change the password.
Moti Karo, CEO of Citadel of the Yana Group, says "it is critically important to constantly review the issue of data protection in the organization and manage it correctly, particularly in websites where such a breach could endanger all surfers and reveal their personal details, or allow hostile elements to plant a hostile code.
"The way to avoid such situations is to create a situation in which all the aspects of data protection are examined while the website is still in its developments stages."
