Facebook Needs to Act Now on Application Security

Readers of this blog know that many Facebook applications suffer from code vulnerabilities that hackers can exploit.  I’ve brought up numerous examples of such problems, and have described several techniques for exploiting them that put users and their data at risk.  Most recently I noted that a hacked application could issue API requests that post to a user’s feed or send notifications, enabling viral attacks.

Those familiar with the Facebook Platform know what other sorts of requests are available with extended permissions.  These include changing a user’s status, posting larger news stories automatically, creating notes, accessing a user’s news feed, and so on.  All of these present powerful means of attack if available to a hacker – but as noted, all require extended permissions that most applications never request.

But today I was intrigued by a report on Inside Facebook about a new application from SocialToo.  The application allows you to post status updates which are automatically posted on your Twitter as well.  In essence, this application requires extended permissions to be useful at all.  That means if an attacker targeted SocialToo, they would nearly be guaranteed that a user had granted the application certain extended permissions.

That also means I immediately installed the application to check for any issues.  To my surprise, the application fell at my first attempt – I found it vulnerable to an extremely basic attack.  I could easily launch a Facebook virus that takes advantage of a user’s trust in SocialToo to post status updates, harvest news feed items, and otherwise wreak havoc.

I have contacted SocialToo about this particular hole and trust they will patch it soon.  But this story highlights a much larger issue.  As users increasingly trust applications and as more applications take advantage of extended permissions, more possibilities for application hijacking open up.  Facebook cannot simply continue treating application security as a “not our problem” issue.  The constant stream of code vulnerabilities in even top Facebook applications erode the image of privacy and control Facebook is trying to convey.  I know that Facebook tends to use very secure coding practices (I’ve tried to hack their code many times), but none of that matters if application developers fail to implement even the most basic security techniques.

I do not know of a surefire solution to all of this, though I have offered several solutions to specific platform problems in the past.  But I am sure of one thing: Facebook cannot afford to let powerful application hacks keep happening.

Update on SocialToo: Kudos to SocialToo for such a quick response – I received a reply to my e-mail in about a half-hour that said the hole was patched.  I did a quick check, and my attack no longer works.  The attack came through the SocialToo page for setting a vanity URL.  Entering test\"><fb:iframe src='http://google.com/'> in the page’s input box would bring up a confirmation page that included the injected iframe.  Also, the malformed code resulted in the confirmation page’s input box also being a link, meaning if a user clicked on it to edit the URL, they could be forwarded to an attack page.

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

How to Write a Facebook Virus

  1. Find a cross-site scripting vulnerability in a widely used Facebook application.  At least three of the top 10 applications currently have one.
  2. Craft a short link that redirects to a specially infected XSS link.  You can use a clickjacking attack to help ensure that users who don’t have the application installed still get infected.
  3. Write JavaScript code for your XSS injection that harnesses a user’s session secret and uses it to make Facebook API requests.  More information about how this works is freely available online.
  4. You’ll probably want to include code that harvests profile information (such as date of birth, interests, and educational history) from infected users and their friends, since that simply requires an FQL query.  You could also download photos if you so desire.  In order to appear inconspicuous, use the same FQL queries that advertising networks use for targeting.
  5. If you want to include a few pop-ups or malicious redirects in your code as well, feel free.  If you can do it in JavaScript, you can do it here.
  6. Finish up your code with a few API requests that post a one-line story to a user’s wall or send notifications to their friends, since both of these are also generally possible with injected code.  Include your short link in these posts.  Finally, redirect the user to an innocent page so they don’t suspect anything.
  7. Note that after a little while, someone may catch on and patch the hole in the application you’re exploiting.  But since multiple applications typically have holes (see step 1), you can easily switch your code to a new one.  Since you’re using mainstream applications, they’re not likely to be banned as quickly as suspicious-looking rogue applications, so that should buy you some time.

Fully functional demonstration code available to security researchers and media outlets upon request.

Note that this is not simply a problem with Facebook applications.  This is a problem with the Facebook Platform.  These instructions will remain valid until Facebook takes action on publicly noted issues with their current setup.

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

The inconvenient truths about social media risks to your enterprise

This article (click HERE)  has some great insights that are very consistent with what I am hearing from managers and professionals in the Legal and HR fields. Social media is here to stay, and you can’t block it completely out of your organization for very long. Sooner or later, you’ll have to look at it from every possible angle, and come up with a rational strategy for managing the risks.

You really need to stop and think about the implications and risks of Social Media, as they pertain to:

  • In-house Research, Collaboration and Development
  • Marketing, Sales and Business Development
  • HR screening
  • Product support forums
  • Employees’ home use of social media

There are many subtle risks that require cross-functional attention before letting people loose.

Are you just trying to close your eyes and hope it all goes away?

Or are you working with your team to lay out some ground rules for success with Social Media?

I am now offering monthly briefings, tailored to organizations that want to build and sustain security awareness for staff. Just because your security team is too busy to do its own training and awareness doesn’t mean you can’t have an economical way to address human security risks. Please call or email me at the coordinates below…

Scott Wright

The Streetwise Security Coach

Join the Streetwise Security Zone at:
http://www.streetwise-security-zone.com/join.html

Phone: 1-613-693-0997
Email: scott@streetwise-security-zone.com
Twitter ID: http://www.twitter.com/streetsec

To receive weekly security tips and other notices about helpful content available on this site, please make sure you are on my list by clicking HERE, and entering your name and email address.

 

 

Site Meter

Defeating MSPLinks on MySpace

myspace_msplinksThe following post is a contribution from a researcher called “anti-social”:

A few years back MySpace implemented MSPLinks as a way to defeat spammers from posting their spam URL’s. The idea being that spammers couldn’t make money if they constantly had to buy new domains. The idea worked to a pretty good extent once MySpace finally figured out how to filter all the XSS vulnerabilites they had when sanitizing profiles.

About a year ago, MySpace added to MSPLinks a phishing warning screen to inform users that the site they were going to could possibly be malicious. This screen can be easily defeated by a simple post method with a hidden field. That’s because MSPLinks.com trusts post requests from MySpace.com.

A working example can be found at: http://www.myspace.com/socnetsec

If you click the 1st button under the “About Me” section, the phishing screen isn’t shown (IE and Safari takes you straight through to the link, Firefox pops up a warning asking if you want to post your data to MSPLinks)

If you click the 2nd button, you’ll notice that you’ll be taken to MySpace’s phishing window.

Here is the simple html code in the profile:

<form action="http://www.msplinks.com/MDFodHRwOi8vd3d3LnNvY2lhbG1lZGlhc2VjdXJpdHkuY29t" method="POST">
<input type="submit" name="coolbutton" value="SETTING DISCHECK" />
<input type="hidden" name="discheck" value="on" />
</form>
<form action="http://www.msplinks.com/MDFodHRwOi8vd3d3LnNvY2lhbG1lZGlhc2VjdXJpdHkuY29t" method="GET">
<input type="submit" name="coolbutton" value="NO DISCHECK" />
</form>

What’s the point?  Even with SPAM and URL filtering on social networks like MySpace…they can be easily bypassed.  Since 2007 there have been many different ways to bypass MSPLinks (just do a Google search), this is just another method.  Also, because social networks encourage user generated content, clicking on any links that are posted by the user can lead to bad things.  Especially if they are already masked like they are via MSPLinks.  MSPLinks have now become even more dangerous because you trust MySpace is filtering these links.

Hopefully, MySpace can come up with something better then MSPLinks as they are pretty much useless to fight SPAM and links to malware sites.

Old News: Twitter can be used for Botnet Command & Control

Shocking but true…today a researcher discovered that Twitter has been used for command and control of a botnet which may have been used by Brazilian hackers to steal online banking login information.  Kudos to the researcher, Jose Nazario, who found this.  It was an interesting read to say the least.  The bot would basically look for base64 encoded commands on a Twitter account to download malware via RSS feeds with obfuscated (shortened) URL’s.  Interesting…sounds a lot like Robin Wood’s tool KreiosC2 which was released at DEFCON 17.  I even did this demo showing what else? Base64 encoded commands.  Ironically, I showed off the first version of this code at Notacon 6 back in April of this year.  Keep in mind, KreiosC2 can be used for legitimate tasks like controlling things at home remotely via Twitter.  I highly recommend you read Robin’s detailed write-up on how KreiosC2 functions.

What I find fascinating (like most things in security) is that now that there has been a real confirmed case of using Twitter for botnet C2 (Command & Control) the media seems to be jumping on it and even trying to determine “why it took so long for hackers to take Twitter to the dark side”.  Well, you can’t say we didn’t warn you.

The point that Robin, myself and others were trying to make way back in April was that this is a real threat and the bad guys have probably started to use Twitter for C2 even before Robin put out the code!  We were hoping that by releasing the code Twitter (and others) would see this as perhaps an early warning of things to come and perhaps prepare some defense for it (yes, we know it’s hard to put a defense together for something like this).  Now that we have a confirmed case used for malicious purposes we hope Twitter takes this seriously and can combat future C2 channels used for very bad things.  It always takes something bad to happen to create change…where have you heard that before? :-)

Share and Enjoy


FacebookTwitterDeliciousDiggStumbleUponAdd to favoritesEmailRSS


Your Facebook Profile is Already Public

As Facebook’s privacy settings continue to evolve, many have discussed the increased openness as users gain more options to share content publicly.  All the while, though, ongoing problems with the Facebook Platform detract from the perceived level of control over privacy.

In essence, you should already think of your profile information as public.  First, any application you authorize has carte blanche access to your data.  You have no way to limit this access apart from avoiding authorization to start with.  Second, if a friend authorizes an application, that application likely has the same amount of access to your profile via your friends’ sessions.  You can limit the available data if you have not also authorized the application.

Finally, the current architecture of the Platform leaves users vulnerable to attacks that allow others to harvest profile information.  I have demonstrated such attacks before, and the more I investigate them, the more ridiculous the situation becomes.

This morning I found yet another XSS hole in a top 10 Facebook application (by monthly active users).  However, this was another FBML application, and as with several other cases, I could not immediately replicate my old XSS+CSRF attack for stealing profile data.  With a bit of experimenting, though, I realized another trick.  Rather than trying to insert script directly, I took a slightly different approach for executing this script.  This new technique ensured script execution, at the price of easy access to the session secret.  Using referrers, though, I gained access to the session secret as well.  This does require a user to have referrers enabled for JavaScript, but I’m fairly certain that’s the default on most browsers.

Not only did this new trick enable the attack on that particular application, it allowed me to launch the attack using another top 10 application that I already knew had an XSS hole.  Both of these applications also allow for clickjacking installs, meaning I could once again relaunch the full attack if I so desired.

Keep in mind that you need not visit an attack page for this to affect you.  If you’ve not limited unauthorized applications or the attack uses an application you’ve already installed, your data is vulnerable if a friend visits an attack page.

In short, an attacker could launch pages right now (this is zero-day stuff, people) that silently harvest profile information and photos from nearly any Facebook user.  Between these hacks and the threat of rogue applications, you should regard anything you post on Facebook as public information.

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

Facebook Taking Action on at Least One Issue

Late last night, Facebook issued a statement on their development blog with the cheery title, “Good Ads Make for a Good Ecosystem.”  I’ll begin by saying this post is very good news, and I applaud Facebook for addressing ad networks that violate application policies.

Finally.

My enthusiasm is a bit tempered by how long it’s taken for Facebook to respond on this issue, and I’m still mystified by some of the remarks in their post.  But first, let’s recap the good news.  By noon Pacific on August 3rd, Facebook will require all application advertising to meet a revised version of their own guidelines.  As part of this change, ad networks will no longer be able to use profile pictures or the names and birth dates of users without Facebook’s approval.  As Justin Smith notes, “To our knowledge, this is the first time Facebook has said all ads that display user data must be ’specifically approved’ by Facebook.”  Facebook also reminded developers that they can’t send user data to third-party advertising networks, and that ads are part of an application – meaning they fall under the same rules as the application itself.  I particularly appreciated this bit:

If you run code provided by an ad network in the operation of your application, be sure you understand what this code does.

Now for the less heartening aspects of this announcement.  Yesterday, July 28th, Facebook said:

Please remember that developers have never been allowed to send user data received from Facebook to ad networks…

Stop the tape.  On May 28th I posted the following tidbit about a Facebook Verified Application:

I was surprised to see right in the HTML for the application that when it called for an advertising banner, the iframe URL included my full name, sex, date of birth, age, relationship status, and college information (schools, years, degrees, and majors). I didn’t really think an application, particularly a verified one, should be passing such profile information to a third party.

On June 10th, I named names, noting that AdMazing was the ad network getting the data.  Fast forward over a month to July 25th, when I made this comment:

I did mention one example over a month ago on this very blog, yet the methods of that particular ad network have not changed at all in the mean time, nor has Facebook taken any action against them.

Now with that background, let’s finish the sentence from Facebook’s July 28th post:

…and we take firm action against this.

Right.

I might also note that on June 7th I filed a report about a different type of unsettling ads on Facebook which used user profile data, and on June 18th AllFacebook’s Nick O’Neill left this comment:

Just as a heads up I’ve been in discussions with Facebook for the past week about this exact issue and soon enough I should have a post up about the result. This is definitely a workaround that while they may be abiding by the terms, it results in shock to many of the users that see it.

Apparently Facebook was, in fact, working to address the issue and… oh wait a second.  That blog post was from June 7th of last year.  (By the way, Nick made good on his promise with a discussion of Social Banners and related issues.)

So why the sudden flurry of activity from Facebook regarding these application ads?  Perhaps the Financial Times can shed some light on the subject:

Facebook has found itself the victim of its own success. A user revolt is underway, as a huge number of users are updating their status to warn of a rumoured invasion of privacy by the site….

Also worth noting is how suddenly this message went viral. Ms Smith first reported her experience last Sunday, and the news was picked up, and dismissed by Mashable among others. But like a buried ember that sparks a raging brush fire, the meme caught a gust of wind, and by Friday was spreading across the social graph.

As I’ve pointed out before, Facebook has shown remarkable agility when their users raise an outcry en masse.  Say what you will about Facebook protecting their users, you can’t deny that Facebook works hard to defend its image.  After that viral wave of status updates, Facebook has moved swiftly to restore user confidence in the site’s advertising, whether from Facebook or on applications.

That’s why I’m not holding my breath for any action on the other privacy problems with the Facebook Platform I’ve noted, all of which remain and which, together, leave private information at risk.  Until users realize the current reality and make an issue out of it, Facebook apparently has little incentive to change the status quo.  I would love to believe that Facebook is more proactive and that I’m simply unaware of certain measures or underestimating the situation, but so far the company’s actions have inspired little confidence.

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

Privacy Policies on the Top 25 Facebook Applications

Today, I performed a little experiment.  I went through the current top 25 Facebook applications, based on monthly active users and excluding applications by Facebook, and checked to see if they linked to a privacy policy.  I noted not only whether a privacy policy existed, but where one could find it.

Each of the applications currently have at least 5.5 million monthly active users, and 12 of them are Facebook Verified Applications.  Keep in mind that every application is entrusted with the same access to user data on authorization, regardless of the application’s purpose.

With each application, I checked for any links on the Info page, then checked to see if any of these pages linked to a privacy policy.  I then looked for application terms of service on the installation page, and checked to see if the TOS linked to a privacy policy.  (Throughout this experiment, I made a distinction between “terms of service” and a specifically designated “privacy policy.”  I also considered plaintext URIs to be links, even if they were not hyperlinked.)  Finally, I looked for help or supports links within the application that then linked to a privacy policy.

Following this method, I was unable to find any link to a privacy policy in nearly a third of the applications.  Of these, one was a Facebook Verified Application (more on that in a bit).  Also, one application only posted to a user’s wall and never requested authorization to access user data.

Two applications linked to a privacy policy only after installation, one on the first page after installation, and one via a second linked support page.  Seven applications linked to pages on their Info page that then included links to a privacy policy.  In five of these cases, the page containing a privacy link was the About link, a rather subtle one that points to the developer’s web site, which at times applies to more than one application.  Three of the seven included links to application TOS on the install page which did not include privacy policies.

Eight applications not only had a privacy link via one of the Info page links (five being the About link), but included a link to a privacy policy in the application TOS from the install page.

Only one application linked to its privacy policy directly from the Info page of the application: CourseFeed.  Major props to its developers for making that decision.  A close second in terms of disclosure was Zoosk, whose privacy policy is included in the application terms of service, which are linked to from the installation page.  Also, Zoosk’s Info page links to a support page, which then links to a privacy policy.

All of these findings are summarized in the chart below.

Chart of findings on the top 25 Facebook application privacy policies.

Chart of findings on the top 25 Facebook application privacy policies.

A few other specific applications stood out in various ways.  While Birthday Cards linked to the RockYou homepage, which includes a privacy policy link, the homepage was taken over by an advertisement in Firefox, and I saw no way to close the ad and get back to the actual page.  Also, Slide’s FunSpace presented a rather strange dynamic.  The application seemed to behave as if it were a Facebook Connect page, only prompting for authorization in a pop-up dialog when I tried to create a post.  In fact, since I had used the application previously, it included such details as my name and friend list before I even authorized it.  I’m not sure exactly what was happening behind the scenes in that instance.

Finally, one application deserves mention for its rather pitiful performance: RockYou Live, formerly Super Wall.  This is a Facebook Verified Application, yet I could not find any link to a privacy policy within the application or via its links to other pages.  In fact, the About link on the Info page points to a section of the application, which requires user installation.  Finally, it provided no link to application terms of service on the install page.

Once again, keep in mind that a user grants the same level of trust to each of these application on installation.  Yet 36% either have no published privacy policy or only offer links to a privacy policy after a user has authorized the application.  I’ve seen people get upset over the lack of a privacy policy on web sites that have access to far less personal information than a Facebook application.  If this sample of the most popular applications is any indication, however, people have another reason to be upset about the current state of privacy on the Facebook Platform.

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

1 14 15 16 17 18 22