Posted by theharmonyguy in Facebook | 3 comments
Your Facebook Profile is Already Public
As Facebook’s privacy settings continue to evolve, many have discussed the increased openness as users gain more options to share content publicly. All the while, though, ongoing problems with the Facebook Platform detract from the perceived level of control over privacy.
In essence, you should already think of your profile information as public. First, any application you authorize has carte blanche access to your data. You have no way to limit this access apart from avoiding authorization to start with. Second, if a friend authorizes an application, that application likely has the same amount of access to your profile via your friends’ sessions. You can limit the available data if you have not also authorized the application.
Finally, the current architecture of the Platform leaves users vulnerable to attacks that allow others to harvest profile information. I have demonstrated such attacks before, and the more I investigate them, the more ridiculous the situation becomes.
This morning I found yet another XSS hole in a top 10 Facebook application (by monthly active users). However, this was another FBML application, and as with several other cases, I could not immediately replicate my old XSS+CSRF attack for stealing profile data. With a bit of experimenting, though, I realized another trick. Rather than trying to insert script directly, I took a slightly different approach for executing this script. This new technique ensured script execution, at the price of easy access to the session secret. Using referrers, though, I gained access to the session secret as well. This does require a user to have referrers enabled for JavaScript, but I’m fairly certain that’s the default on most browsers.
Not only did this new trick enable the attack on that particular application, it allowed me to launch the attack using another top 10 application that I already knew had an XSS hole. Both of these applications also allow for clickjacking installs, meaning I could once again relaunch the full attack if I so desired.
Keep in mind that you need not visit an attack page for this to affect you. If you’ve not limited unauthorized applications or the attack uses an application you’ve already installed, your data is vulnerable if a friend visits an attack page.
In short, an attacker could launch pages right now (this is zero-day stuff, people) that silently harvest profile information and photos from nearly any Facebook user. Between these hacks and the threat of rogue applications, you should regard anything you post on Facebook as public information.
Trackbacks/Pingbacks
- Twitted by theharmonyguy - [...] This post was Twitted by theharmonyguy [...]
- Facebook Hacked | Social Hacking - [...] the last few months, I have uncovered such holes in seven applications, three of which currently have monthly active ...
- With Facebook Privacy, Everyone Means Everyone | Social Hacking - [...] don’t want the entire Internet to see, since despite Facebook’s many privacy settings, much of your content has long ...
- Social Media Security » With Facebook Privacy, Everyone Means Everyone - [...] don’t want the entire Internet to see, since despite Facebook’s many privacy settings, much of your content has long ...
“Second, if a friend authorizes an application, that application likely has the same amount of access to your profile via your friends’ sessions.”
This is your speculation. On what factual basis does your claim rest? Are you speculating that authorized apps can do this using the official API the way it was intended to be used, or are you speculating that authorized apps can do this by abusing the API and running XSS or other exploits?
@chris: An application has the same amound of access if either (a) you have also installed the application, or (b) you have not specifically limited the amount of access by uninstalled applications in your Facebook privacy settings. Based on the scientific guess that most users have never changed the default privacy settings in this regard, I said that the same amount of access was likely. But since one could limit access for apps they’ve not also installed, I could not say it was true 100% of the time.
Code or it never happened :)