Facebook Needs to Act Now on Application Security

Readers of this blog know that many Facebook applications suffer from code vulnerabilities that hackers can exploit.  I’ve brought up numerous examples of such problems, and have described several techniques for exploiting them that put users and their data at risk.  Most recently I noted that a hacked application could issue API requests that post to a user’s feed or send notifications, enabling viral attacks.

Those familiar with the Facebook Platform know what other sorts of requests are available with extended permissions.  These include changing a user’s status, posting larger news stories automatically, creating notes, accessing a user’s news feed, and so on.  All of these present powerful means of attack if available to a hacker – but as noted, all require extended permissions that most applications never request.

But today I was intrigued by a report on Inside Facebook about a new application from SocialToo.  The application allows you to post status updates which are automatically posted on your Twitter as well.  In essence, this application requires extended permissions to be useful at all.  That means if an attacker targeted SocialToo, they would nearly be guaranteed that a user had granted the application certain extended permissions.

That also means I immediately installed the application to check for any issues.  To my surprise, the application fell at my first attempt – I found it vulnerable to an extremely basic attack.  I could easily launch a Facebook virus that takes advantage of a user’s trust in SocialToo to post status updates, harvest news feed items, and otherwise wreak havoc.

I have contacted SocialToo about this particular hole and trust they will patch it soon.  But this story highlights a much larger issue.  As users increasingly trust applications and as more applications take advantage of extended permissions, more possibilities for application hijacking open up.  Facebook cannot simply continue treating application security as a “not our problem” issue.  The constant stream of code vulnerabilities in even top Facebook applications erode the image of privacy and control Facebook is trying to convey.  I know that Facebook tends to use very secure coding practices (I’ve tried to hack their code many times), but none of that matters if application developers fail to implement even the most basic security techniques.

I do not know of a surefire solution to all of this, though I have offered several solutions to specific platform problems in the past.  But I am sure of one thing: Facebook cannot afford to let powerful application hacks keep happening.

Update on SocialToo: Kudos to SocialToo for such a quick response – I received a reply to my e-mail in about a half-hour that said the hole was patched.  I did a quick check, and my attack no longer works.  The attack came through the SocialToo page for setting a vanity URL.  Entering test\"><fb:iframe src='http://google.com/'> in the page’s input box would bring up a confirmation page that included the injected iframe.  Also, the malformed code resulted in the confirmation page’s input box also being a link, meaning if a user clicked on it to edit the URL, they could be forwarded to an attack page.