Today, an Indian security researcher named Vivek Bansal mailed me about an issue, which he found in facebook an year ago, and for finding that issue, he got $2000 as per the bug bounty program produced by Facebook itself, but I was shocked to hear from Vivek that the same bug still exist and an master developer able to post malicious or promotional links to your friends timeline without taking permission from you.
If I am confusing you, then you can see the screenshot below, in which a notification comes like someone posted on your timeline. In the pic below Vivek was the guy who posted on her friends timeline, but actually he didn’t posted, the post originally posted by the developer ends through a script which is made by Vivek:
Vivek notified the Facebook Security team about the issue last year in December and got a reply by saying that the issue has been identified by team and now Vivek can publicize this bug.
“Been around 11months back I had written a script where through any mobile/web application I can post any message, image or video on user’s and his friend’s timeline on behalf of user without taking any prior permission”—VIVEK BANSAL.
About Vulnerability:
This vulnerability is from the developer end, For example; Whenever you use an app of Facebook, a notification comes which tells us about the permissions being given to the App like accessing contacts, profile and more, but Vivek shows through a Demo video that an App which only able to access your Basic Info able to post anything on your friends timeline without using your credentials.
Demo video made by Vivek on 4 November 2014. You can find out a video published by Vivek at bottom of the post, which he posted earlier this year:
This vulnerability used by the some of the notorious developers :)
Facebook decided to nominate Vivek for the Bug Bounty of USD 2000 and also included him in the HALL OF FAME.
I know you are thinking about the script made by Vivek, but unfortunately this will be remain Anonymous until the vulnerability fixed.
This vulnerability still persist in the Facebook systems, tells us that How Loose Facebook security researchers are in patching the Vulnerability, this is a bug that allows an attacker to earn money by clicking on links, installing malware upon clicking the links and more.
In the meantime, Vivek is working with Times Internet Limited (part of The Times Group). Some more part of his life can be found at yourstory.com.