Posted by theharmonyguy in Facebook | 191 comments
Facebook Platform Vulnerability Enabled Silent Data Harvesting
A few weeks ago, I sent Facebook a demonstration of what appeared to be a previously unknown attack combining two behaviors of the Facebook Platform. The technique allowed one to create a seemingly innocent web page that would invisibly and silently steal a visitor’s private Facebook content. Facebook has now disabled the attack by modifying one of the exploited behaviors.
It’s unlikely that any real-world attacks used this particular vulnerability, and I certainly have no record of such a case. But it’s also unclear how long the problem has existed. I discovered one part of the technique, a “return_session” parameter for application authorization, while examining the behavior of the Yahoo! contact importer, which only launched a month ago. However, discussions on Facebook’s developer forum mention the parameter in the context of Facebook Connect implementations as far back as February 2009. The other main component, now modified by Facebook, may have existed since the beginning of the Platform in 2007.
In my proof-of-concept demonstration, I loaded a harmless-looking web page on a server external to Facebook. The page included code for an inline frame sized to be invisible to the user. This frame then loaded the login page for a Facebook application. If the user has already authorized an application, its login page will automatically forward to the application, and that’s exactly what I wanted to happen. I chose FarmVille for my demo, since it has a wide install base. Keep in mind that while FarmVille currently lists about 83 million monthly active users, the attack would have worked for anyone who has authorized the application, regardless of how long ago. The attack could also target multiple applications at once using multiple iframes, meaning nearly any of Facebook’s 400 million active users could have fallen prey.
But the first main component of the attack involved a slight modification to the login page URI. By adding a “next” parameter, one can specify an alternate landing page for authorized users. Not all applications take advantage of this parameter, but many do. The parameter would not work for an arbitrary site, but Facebook previously did allow any URI that began with apps.facebook.com. Thus one could craft a login page URI that checked whether the user had authorized one application and then forward the user to a second application.
The next part of the attack came from adding “return_session=1″ to the login page URI. This parameter causes Facebook to append particular session variables for the authorized application onto the URI of the landing page – in our case, the second application given by the “next” parameter. That application merely has to check its address for the session data, which provides enough information to execute API requests using the credentials of the already authorized application. Since an authorized application essentially operates on behalf of a user, it has access to nearly all private profile information (essentially, everything but your e-mail address and phone number) and content (photos, links, notes, etc.) that can be loaded via the API, and hence the second application had such access as well. This entire process could be fully automated without any user interaction and did not require any authorization for the second application. Also, the attack could generally be executed quick enough to avoid Facebook’s measures for detecting when their pages are loaded in frames.
To patch the attack, Facebook has restricted the “next” parameter; it now only forwards to addresses for the application specified on the login page, preventing any appended session data from reaching the wrong destination. Since an authorized application already has API access, using return_session with that application will not add any new privileges.
I commend Facebook for responding quickly to this issue and for being open to white-hat security reports. But in my opinion, this vulnerability is simply the latest reminder that the Facebook Platform can open users to many problems quite separate from the security of Facebook itself. I personally think that aspects of the Platform’s implementation fail to match user expectations of privacy, as I’ve discussed previously. And while this particular problem may be solved, vulnerabilities in specific applications and the nature of application access continue to put private data at risk of unwanted disclosure.
Trackbacks/Pingbacks
- Security Engineer Joey Tyson Discovers Facebook Security Hole - [...] the two behaviors of Facebook platform can be combined to steal data silently. From Joey's Blog: Facebook ...
- Facebook vulnerability allowed “silent data harvesting” - [...] [Source] Loading google.load('search', '1'); google.setOnLoadCallback(function(){ new google.search.CustomSearchControl('012240321471511227919:cz4ngqat5fa').draw('cse'); }, true); [...]
- So long Facebook :Mike's Rants and Raves - [...] seriously believe Facebook isn’t harvesting data that you are unaware of, then take a look at this site. Read ...
- Top Ten Reasons You Should Quit Facebook | Interestings | Find everything you need - [...] it rather easy for spammers to gain access to my feed and spam my social network. Or how about ...
- » Et encore un article sur, devinez quoi ? - [...] Au delà des questions éthiques, la compétence technique de Facebook ne parait pas suffisante pour pouvoir leur confier des ...
- 10 Reasons to Quit Facebook | Creative Swell Blog - [...] it rather easy for spammers to gain access to my feed and spam my social network. Or how about ...
- Gizmodo gives us 10 reasons to quit Facebook | FORMzine - [...] …For example, their recent introduction of their “Like” button makes it rather easy for spammers to gain access to ...
- Facebook y su privacidad | Sunlight Rider - [...] acceso a spammers a spammear toda tu red social. A los mas avanzados si les interesa parece ser que ...
- Quit Facebook … Now …-- NONOBADBLOG! - [...] Just in case those didn’t scare you enough, here’s a few more: Gizmodo’s Reasons, Facebook’s CEO’s Plans, Eroding Privacy ...
- 10 raisons de se passer de Facebook - [...] Au delà des questions éthiques, la compétence technique de Facebook ne parait pas suffisante pour pouvoir leur confier des ...
- Researcher Uncovers (Another) Major Facebook Security Exploit - [...] messages to the wrong recipients. Today, security engineer Joey Tyson, AKA theharmonyguy, has detailed a major security hole in ...
- impo - [...] it rather easy for spammers to gain access to my feed and spam my social network. Or how about ...
- important - [...] it rather easy for spammers to gain access to my feed and spam my social network. Or how about ...
- Facebook: A Reality Check | Tech By Tom - [...] in mind, Facebook hasn’t exactly had the best security [...]
- FaceBook Zły « OSblog.pl Internet, Social Media, Hardware & Software - [...] ułatwiał spammerom dostęp do prywatnych ‘feedów’ i spamowania sieci. Albo ta perełka, którą można było wykorzystać w niezwykle ‘niecny’ ...
- WTF : Top 10 chez Trend Micro… | Linux-backtrack.com - [...] plus ouvertes et difficiles à contrôler, l’impact potentiel des applications ou des vulnérabilités de la plate-forme. Mais sûrement pas ...
- Top Ten Reasons You Should Quit Facebook — Leif Ragnar Stol Øyan - [...] it rather easy for spammers to gain access to my feed and spam my social network. Or how about this ...
- e-cloudy ™ » Top Ten Reasons You Should Quit Facebook - [...] it rather easy for spammers to gain access to my feed and spam my social network. Or how about ...
- l Ψ l Bajan Sun Hot Spot - [...] it rather easy for spammers to gain access to my feed and spam my social network. Or how about ...
- 10 Reasons Why You Should Delete Your Facebook Account | Login To Facebook - [...] it rather easy for spammers to gain access to my feed and spam my social network. Or how about ...
- 10 Reasons Why You Should Delete Your Facebook Account - [...] it rather easy for spammers to gain access to my feed and spam my social network. Or how about ...
- e-cloudy ™ » Top 10 Reasons To Quit Facebook - [...] it rather easy for spammers to gain access to my feed and spam my social network. Or how about ...
- I Click Fun | Top Ten Reasons You Should Quit Facebook - [...] it rather easy for spammers to gain access to my feed and spam my social network. Or how about ...
- Researcher Uncovers (Another) Major Facebook Security Exploit | Tech 2 Up - [...] messages to the wrong recipients. Today, security engineer Joey Tyson, AKA theharmonyguy, has detailed a major security hole in ...
- 10 razones para dejar de usar Facebook | Pinguero - [...] sea fácil para los spammers obtener acceso y alimentar y spamear mi red social. ¿O que tal esta joya que cosecha ...
- Top Ten Reasons You Should Quit Facebook » Soniq.org - [...] it rather easy for spammers to gain access to my feed and spam my social network. Or how about this gem ...
- 10 Reasons To Delete Your Facebook Account « HelpFacebook.com – Popular-Tutorials-Help-Tricks - [...] it rather easy for spammers to gain access to my feed and spam my social network. Or how about ...
- Top Ten Reasons You Should Quit Facebook – johnybro.com - [...] it rather easy for spammers to gain access to my feed and spam my social network. Or how about ...
- Top Ten Reasons You Should Quit Facebook [Report] | J4JUMPY.NET - [...] it rather easy for spammers to gain access to my feed and spam my social network. Or how about ...
- 10 Reasons Why You Should Drop From Facebook : New Technology News and Reviews - [...] it rather easy for spammers to gain access to my feed and spam my social network. Or how about this gem ...
- [WATCH]: Huge Canada Haul: MAC, Nars, Sephora, Makeup Forever, Lush, Perfume, Accessories - [...] (CLOSED!)American Apparel: A Last Chance Lost? - The Robin ReportAmerican Apparel StoreFall HaulFacebook Platform Vulnerability Enabled Silent Data HarvestingHuge ...
- 10 Reasons To Delete Your Facebook Account | Yettezkie's Doodles - [...] it rather easy for spammers to gain access to my feed and spam my social network. Or how about ...
detail; the user would also have to allow the application (farmville in this case) to access user details (http://wiki.developers.facebook.com/index.php/Extended_permissions). So no, not all data would be available only what was available to the hijacked app!
On the other end, this is why oAuth and other ‘verification’ systems use request signing to remove request tempering, something Facebook is not doing.
Y
@Yvo: Extended permissions would be required to access a user’s news feed or inbox, but when I said “content” I was thinking of photos, videos, links, notes, event RSVPs, etc. Those and profile information are all accessible without any extended permissions. I’ve edited the wording slightly (“nearly all” and “profile information”) to clarify.
There is no such thing as safe application. Every app can be hacked.
Really cool!
One typo – on’c'e can specify an alternate landing page for authorized users
@lava: Good catch, thanks – fixed now.
thanks theharmonyguy.
found out about this blog through bbc click :)
Me Too. Kate Russell rocks, Mayoress of the Internet!
Found this link in BBC’s Click programme when watching it online..this website is brilliant tp get updated infos in ht cyberworld..i will visit this page again as i’ve bookmarked this website.
Facebook exploits the gaps in people’s knowledge of the internet and internet marketing. This article goes a long way to rectify that. However, in my humble opinion, once a company has a significantly high stock value, laws no longer apply. Google do as they please, Facebook is just the same.
We are just statistics, demographics and targeted advertising receivers to these companies.
Thank you for writing this piece, I’m really glad it was tweeted my way.
Very good information. I would like to add that facebook will become even more vulnerable to security issues in the future.
Hi,
I am Really glad to see this article currently i am working on this for mobile for silent log-in could you please share me those code for this implementation to my mail id so that i ll get some logic to get it done ….
Awaiting for your response soon ………
Thanks in advance
Bikash mohanty
bikas.mohanty@gmail.com
Very good information. My friend said to me that you can tell who is looking at your page. Is that true? I know they have a app called “See who is looking at your profile page.” But isn’t that a bunch of b.s. or accurate?
Ginger: There is no legitimate way to know who views your profile. I know of one app a while back that exploited a vulnerability to provide such functionality, but it was kept pretty secret because Facebook patches such holes as soon as they’re found (as they did once the app came to light). Of all the other apps and pages I’ve seen promising to let you see who views your profile, 100% have been completely bogus. It’s a common scam technique.
Very informative. It really bums me out that Facebook and their CEO pull such drastic “wool-pulling” on end users and people who don’t understand or use Facebook very often. I had been so thankful when Facebook first came out. I have gotten back in touch with more people than any class reunion. I completely understand how these things could happen. There are the developers at the top of the food chain and there are grunts like the rest of us just trying to master the skills needed to run the program. It’s rather wacky to test yourself on the several early versions of Facebook to try and pinpoint an issue. I’d like to hear more stories about end users recovering from the dilemma.
Best Wishes and Best Regards,
-Chuck
My friend said to me that you can tell who is looking at your page. Is that true? I know they have a app called “See who is looking at your profile page.” But isn’t that a bunch of b.s. or accurate?
This article goes a long way to rectify that. However, in my humble opinion, once a company has a significantly high stock value, laws no longer apply. Google do as they please, Facebook is just the same.
We are just statistics, demographics and targeted advertising receivers to these companies.
thank very nıce article and idea
FaceBook has made it a heck of a lot easier to collect information on individuals. This wealth of data will launch us into an age of personal recommendations and individualization. The attractiveness of this may diver attention away from the dangers.
I really don’t know about it.
I was honored to obtain a call from my friend as he identified the important suggestions shared on the site. Reading through your blog posting is a real fantastic experience. Thank you for thinking of readers at all like me, and I wish you the best of achievements as being a professional in this topic.
What would keep something like this from popping up again?
I have had more trouble with FB than any other site. Great to see you helpung them but can they ever be safe when they’re such a big target?
I, for my friends in the class, wish to express our own thanks for the truly stunning secrets revealed through your article. The clear explanation helped bring comfort and hope to all of us and would probably really help us in a research we are at the moment doing. I think if continue to come across web pages like yours, my stay in college could well be an easy one. Thanks
There are always going to be dangers like this with networks that are using user generated content. It’s a fact of life. Don’t put it out there if you don’t want it to ever be found.
Thank you for the great informations,the site is very nice and very useful to the user,the work is 10 out of 10!
This was good news to me and also to the user of this most popular Social Networking site “Facebook”. Thank you for the update that you share us for now in here this site.
I personally think that aspects of the Platform’s implementation fail to match user expectations of privacy, as I’ve discussed previously.
Thanks for this article
I genuinely enjoy reading on this web site, it has got fantastic posts.
I like this web site it’s a ! Glad I discovered this on google.
The Cottages at Windermere House offer luxury fractional ownership of three bedroom cottages on prestigious Lake Rosseau in Muskoka. Fractional ownership at this landmark Muskoka resort provides the benefits of carefree and private cottage ownership in a magnificent resort setting.
I can be
On the roadside and others, a silver Mercedes parked next to me suddenly.
Roll down the window, is a juicy big girl, a smile asked me: What is Mr. Zhang?
I have the slightest hesitation, then determination to answer: I can be!
I closed my facebook account a long time ago. This is just maddness.
a female computer failure to call the service department: “how your computer so bad to death, only the SB will buy your computer.” Customer replied: “Sorry for the inconvenience. Please also do not criticize yourself,dr dre headphones, your problems will be resolved quickly … …
There are tons of attacks on Facebook. I’m starting to hate it.
The article is worth reading,it makes me fell good,http://www.nike-discounts.com thanks for the bolg owner.I will keep visiting your blog.
its really nice thanks for share.
Great Article thank you so much
http://www.paintballgames62.com
Well, I think I will do it. But facebook will be attacked later.
Very good article! Your article is very professional; I can’t agree you any more. The article fills my mind with knowledge and gives it a compass so that that knowledge doesn’t go to waste. I admire your work! http://www.nike-discounts.com/ Thanks for your work and have a nice day! :)
Yes, all the above all post are informative and provide great information so thanks to share it
I am happy to find this post very useful for me, as it contains lot of information. I always prefer to read the
quality content and this thing I found in you post. Thanks for sharing
Nice work on putting together a very interesting post.
Great article, thanks for sharing
I like your website. Thank you for great information. I will come back to your website again.
best regards
Thanks for this wonderful post.Admiring the time and effort you put into your blog and detailed information you offer.
Thanks for the well-thought article. I’m in fact at work right now! So I ought to go off with out examining all I’d like. But, I place your blog site on my RSS feed to ensure that I can go through a lot more….
http://www.buy-shoes-bag.com
I really like the way you show to us, very wonderful and powerful about your article, and good to read it, please keeping it doing.
Very interesting many thanks, I presume your readers would likely want more reviews along these lines continue the great effort.