Security and Privacy in Social Networks Bibliography

We just added a fantastic link to 70+ academic papers about security and privacy issues in social networks. It is maintained by Joseph Bonneau from the University of Cambridge.  You will see a page titled “Research” at the top of the page where you can get links to this and other academic papers and research papers.

Thanks to Joe for the submission!

MoTB #31: Twitter Integrated Search Reflected XSS

What is Twitter Search
“There is an undeniable need to search, filter, and otherwise interact with the volumes of news and information being transmitted to Twitter every second. Twitter Search helps you filter all the real-time information coursing through our service.” (Twitter Search about page)

Twitter effect
Because Twitter Search is now integrated within Twitter, you can now actually preform any Twitter action in the book.

Popularity rate
Integrated search = All web users = 60% of all Twitter users – 5 twits

Vulnerability: Reflected Cross-Site in the Integrated Search feature.
Status: Patched.
Details: The Integrated search, as well as it’s JSON search.html page, did not encode HTML entities, which could have allowed the injection of scripts.
The vulnerability was also submitted by Laurent Gaffie and Pierre Gardenat. The idea to look at the JSON search.html page came from Ryan Naraine.
This vulnerability could have been used by an attacker to take control of its victims Twitter accounts, as well as to create a massive Twitter worm.
Proof-of-Concepts:
http://twitter.com/home#search?q=%3Cimg%20src%3D%22.%22%20onerror%3Dalert%28%22xss%22%29%3E
http://integratedsearch.twitter.com/search.html?callback=%3Cscript%3Ealert(%22xss%22)%3C/script%3E&layout=none&locale=en&page=1&q=aslkjdlaskdjlaksjdlaksjdasd
Screenshot:

Vendor response rate
Twitter’s responsiveness, especially of Alex Payne, was great throughout Month of Twitter Bugs. The vulnerabilities were fixed in less than 24 hours. If I could give them 6 twits, I would. Excellent – 5 twits.

MoTB #30: TweetDeck Insecure Communication Vulnerability

What is TweetDeck
“TweetDeck is your personal browser for staying in touch with what’s happening now, connecting you with your contacts across Twitter, Facebook and more. TweetDeck shows you everything you want to see at once, so you can stay organised and up to date.” (TweetDeck about page)

Twitter effect
TweetDeck can be used to send tweets, direct messages and follow/unfollow other Twitter users from multiple Twitter accounts.
TweetDeck is using Username/Password authentication in order to utilize the Twitter API.

Popularity rate
The most popular Twitter clients. 2nd place in the most used twitter clients, with 25.6% usage in the past week – 5 twits

Vulnerability: Insecure communication vulnerability when displaying videos.
Status: Unpatched.
Details: TweetDeck does not use a secure communication when it displays videos inline (e.g. using Qik). An attacker who controls the victim’s network (e.g. via public WiFi, compromised DNS servers, etc.) can tamper with the request to the video website and replace it with a rogue content (e.g. display a fake malicious update request).
This vulnerability can be used by an attacker to install malware on its victims machines.
Screenshot:

Vendor response rate
The vendor has confirmed this as a vulnerability. They are working with their partners (Qik and 12seconds) in order to replace the current HTTP connection with HTTPS. While the vendor have yet to fix the vulnerability, they were very responsive and have promised to release a patch as soon as their partners will implement SSL on their websites. Almost Good – 3.5 twits.

Facebook Taking Action on at Least One Issue

Late last night, Facebook issued a statement on their development blog with the cheery title, “Good Ads Make for a Good Ecosystem.”  I’ll begin by saying this post is very good news, and I applaud Facebook for addressing ad networks that violate application policies.

Finally.

My enthusiasm is a bit tempered by how long it’s taken for Facebook to respond on this issue, and I’m still mystified by some of the remarks in their post.  But first, let’s recap the good news.  By noon Pacific on August 3rd, Facebook will require all application advertising to meet a revised version of their own guidelines.  As part of this change, ad networks will no longer be able to use profile pictures or the names and birth dates of users without Facebook’s approval.  As Justin Smith notes, “To our knowledge, this is the first time Facebook has said all ads that display user data must be ’specifically approved’ by Facebook.”  Facebook also reminded developers that they can’t send user data to third-party advertising networks, and that ads are part of an application – meaning they fall under the same rules as the application itself.  I particularly appreciated this bit:

If you run code provided by an ad network in the operation of your application, be sure you understand what this code does.

Now for the less heartening aspects of this announcement.  Yesterday, July 28th, Facebook said:

Please remember that developers have never been allowed to send user data received from Facebook to ad networks…

Stop the tape.  On May 28th I posted the following tidbit about a Facebook Verified Application:

I was surprised to see right in the HTML for the application that when it called for an advertising banner, the iframe URL included my full name, sex, date of birth, age, relationship status, and college information (schools, years, degrees, and majors). I didn’t really think an application, particularly a verified one, should be passing such profile information to a third party.

On June 10th, I named names, noting that AdMazing was the ad network getting the data.  Fast forward over a month to July 25th, when I made this comment:

I did mention one example over a month ago on this very blog, yet the methods of that particular ad network have not changed at all in the mean time, nor has Facebook taken any action against them.

Now with that background, let’s finish the sentence from Facebook’s July 28th post:

…and we take firm action against this.

Right.

I might also note that on June 7th I filed a report about a different type of unsettling ads on Facebook which used user profile data, and on June 18th AllFacebook’s Nick O’Neill left this comment:

Just as a heads up I’ve been in discussions with Facebook for the past week about this exact issue and soon enough I should have a post up about the result. This is definitely a workaround that while they may be abiding by the terms, it results in shock to many of the users that see it.

Apparently Facebook was, in fact, working to address the issue and… oh wait a second.  That blog post was from June 7th of last year.  (By the way, Nick made good on his promise with a discussion of Social Banners and related issues.)

So why the sudden flurry of activity from Facebook regarding these application ads?  Perhaps the Financial Times can shed some light on the subject:

Facebook has found itself the victim of its own success. A user revolt is underway, as a huge number of users are updating their status to warn of a rumoured invasion of privacy by the site….

Also worth noting is how suddenly this message went viral. Ms Smith first reported her experience last Sunday, and the news was picked up, and dismissed by Mashable among others. But like a buried ember that sparks a raging brush fire, the meme caught a gust of wind, and by Friday was spreading across the social graph.

As I’ve pointed out before, Facebook has shown remarkable agility when their users raise an outcry en masse.  Say what you will about Facebook protecting their users, you can’t deny that Facebook works hard to defend its image.  After that viral wave of status updates, Facebook has moved swiftly to restore user confidence in the site’s advertising, whether from Facebook or on applications.

That’s why I’m not holding my breath for any action on the other privacy problems with the Facebook Platform I’ve noted, all of which remain and which, together, leave private information at risk.  Until users realize the current reality and make an issue out of it, Facebook apparently has little incentive to change the status quo.  I would love to believe that Facebook is more proactive and that I’m simply unaware of certain measures or underestimating the situation, but so far the company’s actions have inspired little confidence.

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

MoTB #29: Reflected XSS in chart.ly

What is chart.ly
“Share stock charts on Twitter” (chart.ly home page)

Twitter effect
chart.ly can be used to send tweets and follow other twitter users.
chart.ly is using OAuth authentication method in order to utilize the Twitter API.

Popularity rate
A not so popular alternative to StockTwits – 1 twit

Vulnerability: Reflected Cross-Site in the Search page.
Status: Unpatched.
Details: The chart.ly search page does not encode HTML entities in the “q” variable, which can allow the injection of scripts.
This vulnerability can used by an attacker to send tweets on behalf of its victims.
Proof-of-Concept: http://chart.ly/search?q=%3Cscript%3Ealert(%22xss%22)%3C/script%3E

Vendor response rate
The vendor did not respond to any of the emails I sent during the past week – 0 twits.

MoTB #28: Reflected XSS vulnerability in tweetburner

What is tweetburner
“Tracking the links that you share on Twitter” (tweetburner home page)

Twitter effect
tweetburner can be used to send tweets with the shortened URLs through a form on their website.
tweetburner is using Username/Password authentication in order to utilize the Twitter API.

Popularity rate
Yet another Twitter shortening service. Not as popular as others in this market – 2 twits

Vulnerability: Reflected Cross-Site in the shortened URL creation page.
Status: Unpatched.
Details: The tweetburner shortened URL creation page does not encode HTML entities in the “url” variable, which can allow the injection of scripts.
This vulnerability can be used by an attacker to send tweets on behalf of its victims.
Proof-of-Concept: http://tweetburner.com/links/create?url=%3Cscript%3Ealert(%22xss%22)%3C/script%3E
Screenshot:

Vendor response rate
The vendor did not respond to any of the emails I sent during the past week – 0 twits.

Privacy Policies on the Top 25 Facebook Applications

Today, I performed a little experiment.  I went through the current top 25 Facebook applications, based on monthly active users and excluding applications by Facebook, and checked to see if they linked to a privacy policy.  I noted not only whether a privacy policy existed, but where one could find it.

Each of the applications currently have at least 5.5 million monthly active users, and 12 of them are Facebook Verified Applications.  Keep in mind that every application is entrusted with the same access to user data on authorization, regardless of the application’s purpose.

With each application, I checked for any links on the Info page, then checked to see if any of these pages linked to a privacy policy.  I then looked for application terms of service on the installation page, and checked to see if the TOS linked to a privacy policy.  (Throughout this experiment, I made a distinction between “terms of service” and a specifically designated “privacy policy.”  I also considered plaintext URIs to be links, even if they were not hyperlinked.)  Finally, I looked for help or supports links within the application that then linked to a privacy policy.

Following this method, I was unable to find any link to a privacy policy in nearly a third of the applications.  Of these, one was a Facebook Verified Application (more on that in a bit).  Also, one application only posted to a user’s wall and never requested authorization to access user data.

Two applications linked to a privacy policy only after installation, one on the first page after installation, and one via a second linked support page.  Seven applications linked to pages on their Info page that then included links to a privacy policy.  In five of these cases, the page containing a privacy link was the About link, a rather subtle one that points to the developer’s web site, which at times applies to more than one application.  Three of the seven included links to application TOS on the install page which did not include privacy policies.

Eight applications not only had a privacy link via one of the Info page links (five being the About link), but included a link to a privacy policy in the application TOS from the install page.

Only one application linked to its privacy policy directly from the Info page of the application: CourseFeed.  Major props to its developers for making that decision.  A close second in terms of disclosure was Zoosk, whose privacy policy is included in the application terms of service, which are linked to from the installation page.  Also, Zoosk’s Info page links to a support page, which then links to a privacy policy.

All of these findings are summarized in the chart below.

Chart of findings on the top 25 Facebook application privacy policies.

Chart of findings on the top 25 Facebook application privacy policies.

A few other specific applications stood out in various ways.  While Birthday Cards linked to the RockYou homepage, which includes a privacy policy link, the homepage was taken over by an advertisement in Firefox, and I saw no way to close the ad and get back to the actual page.  Also, Slide’s FunSpace presented a rather strange dynamic.  The application seemed to behave as if it were a Facebook Connect page, only prompting for authorization in a pop-up dialog when I tried to create a post.  In fact, since I had used the application previously, it included such details as my name and friend list before I even authorized it.  I’m not sure exactly what was happening behind the scenes in that instance.

Finally, one application deserves mention for its rather pitiful performance: RockYou Live, formerly Super Wall.  This is a Facebook Verified Application, yet I could not find any link to a privacy policy within the application or via its links to other pages.  In fact, the About link on the Info page points to a section of the application, which requires user installation.  Finally, it provided no link to application terms of service on the install page.

Once again, keep in mind that a user grants the same level of trust to each of these application on installation.  Yet 36% either have no published privacy policy or only offer links to a privacy policy after a user has authorized the application.  I’ve seen people get upset over the lack of a privacy policy on web sites that have access to far less personal information than a Facebook application.  If this sample of the most popular applications is any indication, however, people have another reason to be upset about the current state of privacy on the Facebook Platform.

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

Another Twitter Scam: Twitviewer

twitviewerOne of the trending topics today on Twitter was “Twitviewer” becuase of a site called Twitviewer[d0t]net which asks visitors to enter in your Twitter user id and password to find out who is “stalking” you.  When you do, you get a sample of people on Twitter that are not even following you as stated in this Mashable post.  The app also sends out a tweet using your credentials stating: “Want to know whos stalking you on twitter!?: hxxp://TwitViewer[d0t]net”.  If you did fall victim to this you better change your password ASAP!  Check out the screenshot of the site before it was taken down…yeah, phishy indeed.

Who knows what the developers of this application were planning (malicious or others).  Regardless, you should never give a third party site (especially ones that look phishy like this one) your Twitter credentials.  In fact, I recommend you only use third party Twitter sites that use OAuth for authenticating you to Twitter.  That way you don’t have to give your credentials to the web site and worry about them being compromised.  Also, look to see what the purpose of the site is before you give the jewels away…if it’s a way to see who’s following you, enter credentials to get millions of followers, etc…then it’s probably a scam or just completely useless.

Think about this.  If the developer of a site like this wanted to they could easily use your captured Twitter credentials and start trying them on other social networks and/or web mail services.  They can then use these credentials for anything else they wanted.  Unfortunatly, most users of these sites use the same password for everything.  Again, this is a reminder to use a password manager if you are one of those that use the same user id/password for everything.  See this article for more information on password managers and social media web sites.

Share and Enjoy


FacebookTwitterDeliciousDiggStumbleUponAdd to favoritesEmailRSS


1 24 25 26 27 28 35