Posted by theharmonyguy in Facebook | 183 comments
Facebook Platform Vulnerability Enabled Silent Data Harvesting
A few weeks ago, I sent Facebook a demonstration of what appeared to be a previously unknown attack combining two behaviors of the Facebook Platform. The technique allowed one to create a seemingly innocent web page that would invisibly and silently steal a visitor’s private Facebook content. Facebook has now disabled the attack by modifying one of the exploited behaviors.
It’s unlikely that any real-world attacks used this particular vulnerability, and I certainly have no record of such a case. But it’s also unclear how long the problem has existed. I discovered one part of the technique, a “return_session” parameter for application authorization, while examining the behavior of the Yahoo! contact importer, which only launched a month ago. However, discussions on Facebook’s developer forum mention the parameter in the context of Facebook Connect implementations as far back as February 2009. The other main component, now modified by Facebook, may have existed since the beginning of the Platform in 2007.
In my proof-of-concept demonstration, I loaded a harmless-looking web page on a server external to Facebook. The page included code for an inline frame sized to be invisible to the user. This frame then loaded the login page for a Facebook application. If the user has already authorized an application, its login page will automatically forward to the application, and that’s exactly what I wanted to happen. I chose FarmVille for my demo, since it has a wide install base. Keep in mind that while FarmVille currently lists about 83 million monthly active users, the attack would have worked for anyone who has authorized the application, regardless of how long ago. The attack could also target multiple applications at once using multiple iframes, meaning nearly any of Facebook’s 400 million active users could have fallen prey.
But the first main component of the attack involved a slight modification to the login page URI. By adding a “next” parameter, one can specify an alternate landing page for authorized users. Not all applications take advantage of this parameter, but many do. The parameter would not work for an arbitrary site, but Facebook previously did allow any URI that began with apps.facebook.com. Thus one could craft a login page URI that checked whether the user had authorized one application and then forward the user to a second application.
The next part of the attack came from adding “return_session=1″ to the login page URI. This parameter causes Facebook to append particular session variables for the authorized application onto the URI of the landing page – in our case, the second application given by the “next” parameter. That application merely has to check its address for the session data, which provides enough information to execute API requests using the credentials of the already authorized application. Since an authorized application essentially operates on behalf of a user, it has access to nearly all private profile information (essentially, everything but your e-mail address and phone number) and content (photos, links, notes, etc.) that can be loaded via the API, and hence the second application had such access as well. This entire process could be fully automated without any user interaction and did not require any authorization for the second application. Also, the attack could generally be executed quick enough to avoid Facebook’s measures for detecting when their pages are loaded in frames.
To patch the attack, Facebook has restricted the “next” parameter; it now only forwards to addresses for the application specified on the login page, preventing any appended session data from reaching the wrong destination. Since an authorized application already has API access, using return_session with that application will not add any new privileges.
I commend Facebook for responding quickly to this issue and for being open to white-hat security reports. But in my opinion, this vulnerability is simply the latest reminder that the Facebook Platform can open users to many problems quite separate from the security of Facebook itself. I personally think that aspects of the Platform’s implementation fail to match user expectations of privacy, as I’ve discussed previously. And while this particular problem may be solved, vulnerabilities in specific applications and the nature of application access continue to put private data at risk of unwanted disclosure.
Thnx for sharing this info ! i wz reading something similar to this on another web but this looks better infct
it rather easy for spammers to gain access to my feed and spam my social network. Or how about …
Wow!I really loved reading your blog. It was very well written and simple to understand. Unlike additional blogs I have read.
well this blog is great i love reading your articles.
his really answered my problem, thank you!… I think happy should be shared for everyone. I adore your site very much.
Well, I will share with my friends about this. Thanks.
Today concerning Search engines and so I I just wanted to mention we believe an individual’s creating is actually beautiful! Many thanks designed for offering these postings without cost. Amaze! Numerous wonderful outcomes. Undoubtedly the product specifications the following. Appreciate your sharing giving! We have examine several articles or blog posts about affordable oakley sun shades together with oakley eyewear outletThanks a whole lot meant for having fun with this valuable magnificence document along with me. My business is apreciating them quite definitely! Awaiting another excellent write-up. I wish you all on the article writer! all the best .!
It’s discount north face well-known fact that for quite a while adult north face discount are pretty unique with regards to the athletic discount north face Down Jacket construct y order. discount north face,north face jacket,discount north face jacket,discount north face jacket,the north face outlet
I like the style of your writting.
It’s so lucky for me to find your blog! So shocking and great! Just one suggestion: It will be better and easier to follow if your blog can offer rrs subscription service.Thanks for your information!It is a good post i think! Cheap Christian Louboutin Shoes,Buy Christian Louboutin,Louboutin Shoes,Cheap Louboutin Shoes,Louboutin Shoes Sale
It’s sometimes surprising just how narrow the focus of some people can be, when they compare themselves, or a group they identify with, to people who aren’t them. Thanks for your information!It is a good post i think!ugg boots,outlet ugg boots,ugg boots sale,classic ugg boots,ugg boots uk,Knit Ugg Boots
My friendS told me that this blog is competitive.i will continue to read.
http://www.nfljerseysmalls.com
This is a great one..nice article, thanks for share with us… I learn a lot with your words.. thank for the post. Sir,thanks for sharing.
Great post, thank you very much for your post.
If you have to have a nice looking site, you should start remodelling the design and the user experience. I like the article, you really have come out with good points. And for some of them I am agree ! I have checked Carpet Cleaning London you other articles they are fifty by fifty for me.
Donc,myefox vous propose une marque Marchesa.Chaque fois qu’on participe le spectacle de Marchesa,il nous donne une surprise. Et sur la conception de Marchesa,il est si particulier. Dans la gamme de la robe de soirée pour mariage Marchesa d’hier,il a employé divers conceptions. Il intégre la ligne simple et les détails luxueux et brillant ensemble
wholeslae tresor paris
Wholesale Tresor Paris jewellery offers bracelets,necklaces and packings-Tresor Paris
jewellery all by hand-made with a variety of precious gemstones crystals magnetite balls
and fabrics”
Loomis mentioned the top workplace was self-confident Payton wished to sustain what he has assisted develop in New Orleans instead than start much more than somewhere else yangchengbin/201110
T1UI5CRCNXH2SPB
only made with australian twin-face sheepskin are authentic ugg boots
Wow … I missed this news. Facebook is a social network that many people use it. We can use it for many things ranging from chat, message, or for office purposes. By the way, thank you for giving many tips in this post on facebook.
Luxury watches available by these replica
companies can be irresistible and may confuse you in trying to figure out which brand will best meet your
watch-wearing needs.
diaphoresis away from your skin. As UGG Australia the boots are made from this
history and culture as Vegemite, AC/DC and a slab of beers slung over the shoulder
Nice information, valuable and excellent design, as share good stuff with good ideas and concepts, lots of great information and inspiration, both of which we all need, thanks for all the enthusiasm to offer such helpful information here.
you’re interested you’ll find it all UGG Bailey Button Bomber on the web.
our goal is to be popular and fashionable vane,offer the best products and service, the most preferential price.
his is my shop online, you can go on, please give me some opinion, all products are wholesale, if you like, you can order it!.
We just couldnt leave your website before telling you that I really enjoyed the quality information you offer to your visitors… Will be back soon to check up on new posts
my free will to the years of accumulated habits and the past deeds of my life have already marked out a path which threatensdd.
Thanks so much for sharing your wealth of information.
reduces fatigue and enhance the performance of the
runner. Since the running shoes will be subjected to
So many items for you to choose,like
Coach handbag,
fashion dresses.
We accept retail order and wholesale order,you can just order one wedding ring ,we give you the discount upon your orders.
More order,more discount.You can send your payment
through Paypal,Western Union,MoneyGram.
Commonly,We use USPS(EMS) for shipping.If USPS(EMS)can’t ship to your country,we also can use DHL,TNT,UPS,Fedex or others.You will get the items in about 5-7 working days.You also can get a return if we send a wrong item to you,like you order
nike airmax size 42 but we send size 41.You can return it for a change.
Please feel free to contact us if you have any othe questions.
Awesome pictures and interesting information and attractive.This blog is really rocking
Good Luck!It is nice of you to post it.wholesale cheap Designer Frey Wille bangles from China
Each pair of Diesel shoes will give you a sense of Asics Sports Shoes being on top of your style, and well-covered.
Thanks for your opinion. discount handbags I totally like with it.I like cheap designer handbags as well and someone is looking for cheap handbags People usually prefer fake designer handbags, especially when they visit some handbags outlet. In some areas,people like to wholesale clothing. They will find some store doing very cheap or discounted Chanel Handbags outlet. Certainly, is a good way to earn money. designer handbags outlet
Ugg boots’ contours, Bailey Button Bomber Boot shapes, fit and finish are as basic and down-to-
We have been reading the articles on your website and are very impressed with the quality of your information. Perhaps this is one of the best posts that I have ever seen. Interesting post, keep it up!
The post is worth while reading, I like it very much and which you shared the info in this post is very useful. Thanks for sharing a wonderful post.
e Lost? – The Robin ReportAmerican Apparel StoreFall HaulFacebook Platform Vulnerability Enabled Silent Data Harvesting
nice
league gives emphasis on and you can draft your fantasy basketball player picks
dcvddv ccvsvs
The health ministry cosmetics standard Mac Cosmetics Wholesale professional committee of LiuWei 6, the chairman of the committee in reading cosmetics composition logo, said the security and its components are cosmetics natural, and no relationship. Deep sea extract, natural plant formula Mac Cosmetics Wholesale. Part of the cosmetics manufacturers caught some superstitious pure natural consumer psychology, in the packaging using these ambiguous composition on the logo Mac Cosmetics Wholesale
Let me give you an example of how Terapeak helped me. In my Ebay Store which is run by my wife and her friend, we were selling a Motorola W375 for about $93 and were making about $15 on each phone. We sold about 400 of these phones in one month on and off Ebay (we found great cell phone suppliers). After doing some research on the competition using Terapeak, we found that a competitor was selling triple the amount of the Motorola W375 than we were and was selling the phone for $104 while we were selling it for $93. thomas charms sabo
In such style designed Woolrich Arctic Parka jackets are characterized with shiny materials that can be very stylish on men.And the [url=http://www.woolrichparka.nl/]Woolrich Parka[/url] jackets are also made from qualified materials that can be very reliable for wearing.
In lpmgjtw order moncler to catch the chance, the two founder found a factory in a small town of Monestier de Clermont. The factory provided sewing eqiupment previously. In 1952, they decided to buy the factory. On the same year of April 1, they set up the moncler jackets S.A. company. At that time, the company’s capital was eight million Francs. Ramillon Moncler Donna was the President and Producer. In the first year, their operation was rather difficult. Their company had to face the unstable market and look for reliable local customers.
Great topic, keep myself through looking it.
there are lots of beautiful ugg boots at http://www.ugging.com.
It’s good to see this information in your post, i was looking the same but there was not any proper resource, than now i have the link which i was looking for my research.
It will be interested in you:Cheap Beats By Dre