Posted by theharmonyguy in Facebook | 13 comments
Facebook Platform Vulnerability Enabled Silent Data Harvesting
A few weeks ago, I sent Facebook a demonstration of what appeared to be a previously unknown attack combining two behaviors of the Facebook Platform. The technique allowed one to create a seemingly innocent web page that would invisibly and silently steal a visitor’s private Facebook content. Facebook has now disabled the attack by modifying one of the exploited behaviors.
It’s unlikely that any real-world attacks used this particular vulnerability, and I certainly have no record of such a case. But it’s also unclear how long the problem has existed. I discovered one part of the technique, a “return_session” parameter for application authorization, while examining the behavior of the Yahoo! contact importer, which only launched a month ago. However, discussions on Facebook’s developer forum mention the parameter in the context of Facebook Connect implementations as far back as February 2009. The other main component, now modified by Facebook, may have existed since the beginning of the Platform in 2007.
In my proof-of-concept demonstration, I loaded a harmless-looking web page on a server external to Facebook. The page included code for an inline frame sized to be invisible to the user. This frame then loaded the login page for a Facebook application. If the user has already authorized an application, its login page will automatically forward to the application, and that’s exactly what I wanted to happen. I chose FarmVille for my demo, since it has a wide install base. Keep in mind that while FarmVille currently lists about 83 million monthly active users, the attack would have worked for anyone who has authorized the application, regardless of how long ago. The attack could also target multiple applications at once using multiple iframes, meaning nearly any of Facebook’s 400 million active users could have fallen prey.
But the first main component of the attack involved a slight modification to the login page URI. By adding a “next” parameter, one can specify an alternate landing page for authorized users. Not all applications take advantage of this parameter, but many do. The parameter would not work for an arbitrary site, but Facebook previously did allow any URI that began with apps.facebook.com. Thus one could craft a login page URI that checked whether the user had authorized one application and then forward the user to a second application.
The next part of the attack came from adding “return_session=1″ to the login page URI. This parameter causes Facebook to append particular session variables for the authorized application onto the URI of the landing page – in our case, the second application given by the “next” parameter. That application merely has to check its address for the session data, which provides enough information to execute API requests using the credentials of the already authorized application. Since an authorized application essentially operates on behalf of a user, it has access to nearly all private profile information (essentially, everything but your e-mail address and phone number) and content (photos, links, notes, etc.) that can be loaded via the API, and hence the second application had such access as well. This entire process could be fully automated without any user interaction and did not require any authorization for the second application. Also, the attack could generally be executed quick enough to avoid Facebook’s measures for detecting when their pages are loaded in frames.
To patch the attack, Facebook has restricted the “next” parameter; it now only forwards to addresses for the application specified on the login page, preventing any appended session data from reaching the wrong destination. Since an authorized application already has API access, using return_session with that application will not add any new privileges.
I commend Facebook for responding quickly to this issue and for being open to white-hat security reports. But in my opinion, this vulnerability is simply the latest reminder that the Facebook Platform can open users to many problems quite separate from the security of Facebook itself. I personally think that aspects of the Platform’s implementation fail to match user expectations of privacy, as I’ve discussed previously. And while this particular problem may be solved, vulnerabilities in specific applications and the nature of application access continue to put private data at risk of unwanted disclosure.
Trackbacks/Pingbacks
- Security Engineer Joey Tyson Discovers Facebook Security Hole - [...] the two behaviors of Facebook platform can be combined to steal data silently. From Joey's Blog: Facebook ...
- Facebook vulnerability allowed “silent data harvesting” - [...] [Source] Loading google.load('search', '1'); google.setOnLoadCallback(function(){ new google.search.CustomSearchControl('012240321471511227919:cz4ngqat5fa').draw('cse'); }, true); [...]
- So long Facebook :Mike's Rants and Raves - [...] seriously believe Facebook isn’t harvesting data that you are unaware of, then take a look at this site. Read ...
- Top Ten Reasons You Should Quit Facebook | Interestings | Find everything you need - [...] it rather easy for spammers to gain access to my feed and spam my social network. Or how about ...
- » Et encore un article sur, devinez quoi ? - [...] Au delà des questions éthiques, la compétence technique de Facebook ne parait pas suffisante pour pouvoir leur confier des ...
- 10 Reasons to Quit Facebook | Creative Swell Blog - [...] it rather easy for spammers to gain access to my feed and spam my social network. Or how about ...
- Gizmodo gives us 10 reasons to quit Facebook | FORMzine - [...] …For example, their recent introduction of their “Like” button makes it rather easy for spammers to gain access to ...
- Facebook y su privacidad | Sunlight Rider - [...] acceso a spammers a spammear toda tu red social. A los mas avanzados si les interesa parece ser que ...
- Quit Facebook … Now …-- NONOBADBLOG! - [...] Just in case those didn’t scare you enough, here’s a few more: Gizmodo’s Reasons, Facebook’s CEO’s Plans, Eroding Privacy ...
- 10 raisons de se passer de Facebook - [...] Au delà des questions éthiques, la compétence technique de Facebook ne parait pas suffisante pour pouvoir leur confier des ...
- Researcher Uncovers (Another) Major Facebook Security Exploit - [...] messages to the wrong recipients. Today, security engineer Joey Tyson, AKA theharmonyguy, has detailed a major security hole in ...
- impo - [...] it rather easy for spammers to gain access to my feed and spam my social network. Or how about ...
- important - [...] it rather easy for spammers to gain access to my feed and spam my social network. Or how about ...
detail; the user would also have to allow the application (farmville in this case) to access user details (http://wiki.developers.facebook.com/index.php/Extended_permissions). So no, not all data would be available only what was available to the hijacked app!
On the other end, this is why oAuth and other ‘verification’ systems use request signing to remove request tempering, something Facebook is not doing.
Y
@Yvo: Extended permissions would be required to access a user’s news feed or inbox, but when I said “content” I was thinking of photos, videos, links, notes, event RSVPs, etc. Those and profile information are all accessible without any extended permissions. I’ve edited the wording slightly (“nearly all” and “profile information”) to clarify.
There is no such thing as safe application. Every app can be hacked.
Really cool!
One typo – on’c'e can specify an alternate landing page for authorized users
@lava: Good catch, thanks – fixed now.
thanks theharmonyguy.
found out about this blog through bbc click :)
Me Too. Kate Russell rocks, Mayoress of the Internet!
Found this link in BBC’s Click programme when watching it online..this website is brilliant tp get updated infos in ht cyberworld..i will visit this page again as i’ve bookmarked this website.
Facebook exploits the gaps in people’s knowledge of the internet and internet marketing. This article goes a long way to rectify that. However, in my humble opinion, once a company has a significantly high stock value, laws no longer apply. Google do as they please, Facebook is just the same.
We are just statistics, demographics and targeted advertising receivers to these companies.
Thank you for writing this piece, I’m really glad it was tweeted my way.
Very good information. I would like to add that facebook will become even more vulnerable to security issues in the future.
Hi,
I am Really glad to see this article currently i am working on this for mobile for silent log-in could you please share me those code for this implementation to my mail id so that i ll get some logic to get it done ….
Awaiting for your response soon ………
Thanks in advance
Bikash mohanty
bikas.mohanty@gmail.com
Very good information. My friend said to me that you can tell who is looking at your page. Is that true? I know they have a app called “See who is looking at your profile page.” But isn’t that a bunch of b.s. or accurate?
Ginger: There is no legitimate way to know who views your profile. I know of one app a while back that exploited a vulnerability to provide such functionality, but it was kept pretty secret because Facebook patches such holes as soon as they’re found (as they did once the app came to light). Of all the other apps and pages I’ve seen promising to let you see who views your profile, 100% have been completely bogus. It’s a common scam technique.