A bug in Facebook's Web site lets hackers delete Facebook friends without permission.

The flaw was reported Wednesday by Steven Abbagnaro, a student at Marist College in Poughkeepsie, New York. But as of Friday morning, Pacific time, it had still not been patched, based on tests conducted by the IDG News Service on a reporter's Facebook friends list.

A malicious hacker could combine an exploit for this bug with spam or even a self-copying worm code to wreak havoc on the social network, Abbagnaro said in an interview.

He's written proof-of-concept code that scrapes publicly available data from users' Facebook pages and then, one by one, deletes all of their friends. For the attack to work, however, the victim would first have to be tricked into clicking on a malicious link while logged into Facebook. "The next thing you know, you have no friends," Abbagnaro said.

Full story: Computerworld