Jul. 16, 2008

Posted by in Facebook | 3 comments

Social Me Still Too Social

Social Me is another Facebook application that was recently banned, then more recently reinstated.  I’m not sure exactly why they were banned to start with, but they ought to know their application still has a gaping security hole.  I hadn’t experimented with Social Me much before, but when I saw they were back online I thought I would check for any remaining issues.

I noticed some suspicious aspects in the application’s code fairly quickly, and after an hour or two of tinkering, I successfully found a way to send messages on behalf of any user.  I am able to send a message to anyone and make it appear to be from anyone else.  This also includes sending flirts, slaps, “interested in you” notes, etc. – pretty much any of the means of communication Social Me offers.  (The trick also makes it quite easy to drive up one’s “score.”)

The “hack” involved is unbelievably simple, because the AJAX interface for Social Me is totally unsecured.  And it’s not even a POST request – I just enter a certain URL in my browser with a few query strings modified accordingly.  The server does nothing to validate who is making the request.  It reminds me of my original Emote hack.

Proof offered on demand – send me your Facebook ID, the Facebook ID of someone you can check with, and a test message.  And developers, take heed – basic coding practices can prevent this kind of problem.

Update (July 17): Well that was quick.  After a commenter requested a demonstration message, I found the hack had stopped working.  Checking the code for Social Me I discovered that the developers have now added an MD5 hash to their AJAX requests as a means of authentication.  Kudos to them for patching the hole so quickly.

  1. I didn’t find an e-mail address on your site to contact you, so I guess I’ll just leave a comment here. Recently Facebook removed the ability to see what friends are currently online (without appearing online yourself, using Facebook Chat). With the new profile beta, I found that the functionality is still there, just hidden. If you click on “Friends” at the top of your profile redesign page (new.facebook.com), you can replace a string in the url with “online”. You end up with this url: “http://www.new.facebook.com/friends/?view=online”.

    Not really a vulnerability or anything, just thought it would interest you

  2. Have you contacted SocialMe or Facebook about this, seems like something they would care about.

    Also I tried doing this but couldn’t figure it out (wanted to make sure my apps aren’t susceptible to this)

    Could you demonstrate on these two accounts:
    1017467310, 835962318 (you can do whatever message you want)

  3. Nice job of finding that, and good on them for fixing it.

    Formal invitation: if you find the time and inclination to poke at an app that’s still in the construction phase, I’d love to have some outside eyes take a look at CommYou, the conversation system I’m building.

    That’s not even at alpha yet, but I’d rather find and fix the security holes *before* I have thousands of people using the thing. I know it’s not perfect yet — it’s subject to a man-in-the-middle attack during login, which is going to be a pain in the ass to fix — but I believe it’s pretty good otherwise. I’d be interested to see if you notice other holes in the security…

Trackbacks/Pingbacks

  1. Social Me is Back, Privacy Still Vulnerable - [...] resurrected but it appears that there are still some substantial privacy loopholes. According to theharmonyguy, there is still a ...
  2. Social Me is Back, Privacy Still Vulnerable | FaceBook News - [...] resurrected but it appears that there are still some substantial privacy loopholes. According to theharmonyguy, there is still a ...

Leave a Reply