FAQs on FAXX and the “Month of Facebook Bugs”

Isn’t this a just month of Facebook Application Bugs? Not exactly. While each of the vulnerabilities occur in Facebook applications, a hacker can exploit each one in powerful ways and gain access to many Facebook features. Also, such attacks are made possible by the very structure of the Facebook Platform – the fact that any of these application holes allows the same type of attack demonstrates that the problem goes beyond specific applications.

As long as the Platform remains in its current configuration, application-based attacks (FAXX = Facebook Application XSS/XSRF) will continue to be possible. I can ensure that 30 popular applications are patched, but if a 31st remains open, users are still vulnerable. If Facebook allows third-party applications to operate on their service, they cannot simply relegate security and privacy responsibilities to application developers.

These are all just XSS holes. What sort of attacks are possible with them? Each XSS hole lets an attacker hijack the session credentials of the current user, provided they’re logged into the application.  With those credentials, one can execute any Facebook API request that the application can make during the user’s session.

By default, this includes accessing a user’s full profile information, accessing the profile information of friends, accessing photos of a user or their friends, sending notifications to friends (with links), and posting feed stories on a user’s wall (with links). Notifications and feed stories would appear to come from the hijacked application. Some applications have extended permissions which can be exploited, such as updating a user’s status or publishing to their stream.

Finally, many applications allow for clickjacking installs, which means that users who have not already authorized the application (or who have exempted from the Platform altogether) are still vulnerable to an attack. I plan on releasing full source code demonstrating these attack vectors once the series comes to a close.

But the applications you do publish will be secure once they’re patched, right? Each time I evaluate an application, my goal is simply to find a hole. Once I’ve found one, I report it and move on to another application. Every application listed here could easily have other vulnerabilities that I have not yet found.

Will this really last an entire month? When I began this project, I had six holes ready to post.  Since starting the series two days ago, I’ve added two more to my list. I started by focusing on the most popular applications, meaning hundreds if not thousands have yet to be tested. Based on my experiences so far, I’m fairly confident that I will find 30 vulnerabilities by the time September finishes.