The Israeli hacker who saved Facebook — twice

Nir Goldshlager found a serious security breach in the social media network — and then found a hole in the ostensibly repaired code, too

Nir Goldshlager (photo credit: Courtesy)
Nir Goldshlager (photo credit: Courtesy)

Nir Goldshlager, a “white hat” hacker who has tested computer security systems for some of the biggest companies in the world, is once again a hero. For the second year running, Goldshlager is the No. 1 name in Facebook’s security “hall of fame,” featured on a page thanking hackers “for making a responsible disclosure to us, on behalf of over a billion users.” Goldshlager also appeared on the list in 2011, in second place.

Goldshlager, a staff member at the Israeli cyber-security firm Avnet, actually saved Facebook twice this year. He uncovered a major security breach (in Facebook’s OAuth authentication protocol for external services) that would allow hackers to take control of accounts, and when Facebook hurried to cover the breach, he discovered a second major problem in the corrected code.

“Even after they repaired the hole I managed to take over accounts through two parallel channels,” Goldshlager said. “One was by sending a link directly to a user, taking advantage of the hole and gaining access to accounts, and injecting code to masses of data that many users access.”

The worst part, Goldshlager added, was that the exploit did not require knowing the user’s password, and also bypassed Facebook’s SMS verification system. “Users would have no way of knowing that I had accessed their account. I was able to access all personal information, including private pages with statistics, content, friends lists, etc.”

Goldshlager was apparently the first to discover the breach, and it was fixed within three days of his alerting Facebook, while the second repair took several more days. Facebook did not report any “in the field” instances of the hack.

In the final analysis, said Goldshlager, the exploit, despite its complexity, proves how easy it is for someone with the requisite knowledge to stealthily steal data on social networks, without the victim even being aware that they were hacked. Facebook, indeed, owes Goldshlager a great big thank you — twice over.

Most Popular
read more: