Facebook has confirmed that they too have been a victim of a “sophisticated attack”, citing a vulnerability in Java. This comes after, a few weeks ago, Twitter confirmed that they too were attacked (resulting in over 250,000 names and passwords being stolen) and hinted that the same Java vulnerability was used.
The social network said that last month they discovered the attack after finding that a mobile developer’s website was compromised, allowing the malware to be installed despite being fully-patched and running up-to-date antivirus protection.
“After analyzing the compromised website where the attack originated, we found it was using a “zero-day” (previously unseen) exploit to bypass the Java sandbox (built-in protections) to install the malware. We immediately reported the exploit to Oracle, and they confirmed our findings and provided a patch on February 1, 2013, that addresses this vulnerability,” they wrote in a blog post.
Facebook also stresses that no evidence of user data has been compromised.
This is another black eye for Oracle, who is in charge of the development of Java. Hackers have been able to exploit several Java security holes in the past few years in order to steal information and spread malware. Similar to Windows, the reason it is being targeted to find zero day exploits is because it is popular. Java is installed on more than three billion devices, and is a wildly used programming language.
via NY Times