Posted by theharmonyguy in Facebook | 184 comments
Facebook Platform Vulnerability Enabled Silent Data Harvesting
A few weeks ago, I sent Facebook a demonstration of what appeared to be a previously unknown attack combining two behaviors of the Facebook Platform. The technique allowed one to create a seemingly innocent web page that would invisibly and silently steal a visitor’s private Facebook content. Facebook has now disabled the attack by modifying one of the exploited behaviors.
It’s unlikely that any real-world attacks used this particular vulnerability, and I certainly have no record of such a case. But it’s also unclear how long the problem has existed. I discovered one part of the technique, a “return_session” parameter for application authorization, while examining the behavior of the Yahoo! contact importer, which only launched a month ago. However, discussions on Facebook’s developer forum mention the parameter in the context of Facebook Connect implementations as far back as February 2009. The other main component, now modified by Facebook, may have existed since the beginning of the Platform in 2007.
In my proof-of-concept demonstration, I loaded a harmless-looking web page on a server external to Facebook. The page included code for an inline frame sized to be invisible to the user. This frame then loaded the login page for a Facebook application. If the user has already authorized an application, its login page will automatically forward to the application, and that’s exactly what I wanted to happen. I chose FarmVille for my demo, since it has a wide install base. Keep in mind that while FarmVille currently lists about 83 million monthly active users, the attack would have worked for anyone who has authorized the application, regardless of how long ago. The attack could also target multiple applications at once using multiple iframes, meaning nearly any of Facebook’s 400 million active users could have fallen prey.
But the first main component of the attack involved a slight modification to the login page URI. By adding a “next” parameter, one can specify an alternate landing page for authorized users. Not all applications take advantage of this parameter, but many do. The parameter would not work for an arbitrary site, but Facebook previously did allow any URI that began with apps.facebook.com. Thus one could craft a login page URI that checked whether the user had authorized one application and then forward the user to a second application.
The next part of the attack came from adding “return_session=1″ to the login page URI. This parameter causes Facebook to append particular session variables for the authorized application onto the URI of the landing page – in our case, the second application given by the “next” parameter. That application merely has to check its address for the session data, which provides enough information to execute API requests using the credentials of the already authorized application. Since an authorized application essentially operates on behalf of a user, it has access to nearly all private profile information (essentially, everything but your e-mail address and phone number) and content (photos, links, notes, etc.) that can be loaded via the API, and hence the second application had such access as well. This entire process could be fully automated without any user interaction and did not require any authorization for the second application. Also, the attack could generally be executed quick enough to avoid Facebook’s measures for detecting when their pages are loaded in frames.
To patch the attack, Facebook has restricted the “next” parameter; it now only forwards to addresses for the application specified on the login page, preventing any appended session data from reaching the wrong destination. Since an authorized application already has API access, using return_session with that application will not add any new privileges.
I commend Facebook for responding quickly to this issue and for being open to white-hat security reports. But in my opinion, this vulnerability is simply the latest reminder that the Facebook Platform can open users to many problems quite separate from the security of Facebook itself. I personally think that aspects of the Platform’s implementation fail to match user expectations of privacy, as I’ve discussed previously. And while this particular problem may be solved, vulnerabilities in specific applications and the nature of application access continue to put private data at risk of unwanted disclosure.
sea fácil para los spammers obtener acceso y alimentar y spamear mi red social. ¿O que tal esta joya que cosech
I sure hope you never have to recover from a natural disaster with these 50 things.Cartier love bracelet I would learn how to preserve food, how to find or build shelter and how to purify water. How to flirt, type or use a computer are absolutely useless when your life is on the line.Cartier love bracelet Of course, that’s just me. I’m old school and really pity all the electronic junkies that must have their cell phone with them at all times.
We Sale Cheap Jerseys ,Buy Cheap NFL Jerseys, MLB Jerseys, NBA Jerseys,NHL Jerseys Wholesale From USA Authentic Quality.
so great!
Superb blog post, I have book marked this internet site so ideally I’ll see much more on this subject in the foreseeable future!
the wayfarer sunglasses store operate some years ago, big discount ray bans at the same time, at wind winter so I need to search for the cheap ray bans sunglasses.
Thanks for great sharing with us,i will tell more of my friends about it
I recently came across your article and have been reading along. Canada Goose Womens Expedition Parka I want to express my admiration of your writing skill and ability to make readers read from the beginning to the endCanada Goose. I would like to read newer posts and to share my thoughts with you.
I prefer this very much. It is very helpful.
We supply high quality MB Star C3, discount price. MB Star C3 is the latest version Mb Star C3 Browse china mb star c3 products,Choose Quality mb star c3 manufacturers Mb Star C4
The goal is to get the white box onto the green platform. You can cut any object in the game by dragging your mouse across the screen.
I really pity the men, but I guess there are just times when this kind of thing happens.
Hey, I had been searching on this topic for a long while but I was not able to find great resources like that. Now I feel very confidence by your tips about that, I think you have choosen a great way to write some info on this topic.
Great article. Thank you for sharing
Well, I will share with my friends about this. The former 2010 Super Bowl star with the Giants, recently released from prison after serving 20 months on a gun charge, reached an agreement in principle Sunday on a one-year deal with the Jets.
Stivali Ugg,Io sono 'esempio di lavoro per questa ragione i numeri alti' 15 anni cacciatore di teste 'e potrebbe essere esecutivo RESUME scrittura addestrati, che si occupa più grandi allievi MBA ex, e se mi chiedete la risposta è sì.Se leggete in queste liste di MASTER scuola commerciale di programmi AZIENDALE a vari giochi online, molti fornitori sono stipendio giuramento bella e colorata di circa 100 che ci sia.Ma in realtà è proprio il rapporto? Rapporti oltre a Palazzo di Giustizia dell'Università di Cambridge Business, contorno o forse media aumentare i guadagni registrati dal 105-forte ogni giorno MBA link laureato dio finito lo scorso settembre è stato un pesante 66 per ogni centesimo.Tuttavia, in Cathy Butles, MASTER OF coordinatore AZIENDALE carriera in Analisi, questa coperto alcuni estremi perfetta che dovrebbe essere trattenuto in perspectiveIn il colloquio a causa di Independent come una parte di febbraio 2011, si spiega: "Se prestiamo attenzione alla aumento di stipendio suddivisi per pre-MBA zoom, le offerte temperature al di fuori della funzione di noi e dei paesi europei i dati fino a 200 è essenziale a 300 pari a zero per cento.Canada Goose Banff ParkaTuttavia, le medie all'interno di pre-MBA posizioni sorta di Regno Unito, Europa e gli stati uniti d'america, mentre non riescono a colpire diventare vecchi periodi inebriante, anche arrivato a oltre 50 relativo importo.UGG Classic Tall Stivali
UGG And JIMMY Choo Bottes 3045UGG Argyle knit Bottes 5879, Molti giovani stanno ottenendo all'estero attraverso ricoveri MBA nelle scuole primarie mercato indiano condividere attraverso nicchia più efficace espansione paese.MBA tra l'India così come l'età finalizzati estende un bel po 'di marketing comprensione siti, le operazioni le operazioni di contatto di sicurezza organizzative, inoltre, mirano a fornire conoscenze una serie di altre questioni regularions associati con la strategia e la pianificazione società dopo il quale le tradizioni.Siti web MBA in tutto Tiongkok fare o anche il suo curriculum del corso in modo che la formazione rigorosa è attiva nello sviluppo di utilizzare quelle teoriche con competenze pratiche per voi per la sua migliore probabile nella gestione del business genuino animali fare uno sforzo e macchie.Immediatamente per prendere MASTER DI ORGANIZZAZIONE AZIENDALE ammissione Vai coinvolgendo argomenti come l'economia, essa, marketing, finanza e processi diCanada Goose jackets entusiasmarsi sviluppo delle competenze teoriche.E competenze preferito costruito con fuori il lavoro di squadra, la copertura, etico; trasmissione case. Una folla che appare che GMAT critica anche voler CFA valutazione iniziale.CFA (Chartered analista economico) RR spesso un programma molto accentuata creato per la gestione degli investimenti e l'unica cosa settore azionario di valutazione diversi.Il programma MASTER DI ORGANIZZAZIONE AZIENDALE sul retro permette di mangiare la cena corsi che forniscono una specializzazione tutti pascolo set selezionato, ma è più per via del tema generalista nuovo.
The UGG Bailey Button Boots is the perfect cold weather boot to sport stylishly all winter long.
UGG Bailey Button Boots offers cute-as-a-button look with some fierce comfort features.
Chicago Bears and RB Matt Forte are on hold Forte was looking for an extension as he headed to the fourth and final yr on his rookie contract, We are professional wholesale supplier of Football jerseys,specialized in supplying Chicago Bears jerseys. At present,Chicago Bears.Brian Urlacher Jerseys are on sale with top quality at cheapest prices. Welcome your visit!yangchengbin/201112
my feed and spam my social network. Or how about …
I just required some information and was searching on Google for it. I visited each page that came on first page
and didn’t got any relevant result then I thought to check out the second one and got your blog. This is what I
wanted!
http://www.discounthatsshop.com/
Thanks for the tips…!
but i agree wiyh mohit so hard got any comments on my post.
The Ugg Stripe Cable Knit Boots are made of merino wool blend designed
to look like your favorite sweater.The UGG boots have bold, rich colored
stripes that make a true fashion statement.Features as follow:
Color: Black/White
Sheepskin covered PU foam sockliner insole for added comfort
Upper includes striped merino wool/poly blend with nylon binding and signature
UGG logo woven label
Features a light and flexible molded EVA outsole.
This is really great information…. Amazing post. Thanks for the share…
I would like to appreciate the great work done by You,Please continue posting like this..
I found lots of interesting information here. The post was professionally written and I feel like the author has extensive knowledge in the subject. Keep it that way.
Great article. Thank you for sharing
I just want to say I love your article. This information is useful to me and you made it interesting to read. Great job!
So informative things are provided here,I really happy to read this post,I was just imagine about it and you provided me the correct information I really bookmark it,for further reading,So thanks for sharing the information.