Facebook Polling Users About Privacy

I just completed an interesting two-question survey via an official link on Facebook.  The poll first asked to what extent, on a five-point scale from “completely disagree” to “completely agree,” I agreed with this statement: “Facebook cares about its users’ privacy and security.”  Next, Facebook asked if I would describe myself as:

  • Very open – I wouldn’t mind if everyone could see all of the information I share on Facebook
  • In between – I don’t mind if everyone can see some of my information, but certain information I only want to share with my close friends or family
  • Private – I only share things with people I know

The survey came from the Facebook Research Team.  I’m guessing the first question is not only to gauge people’s image of Facebook but a statistic to trumpet if most users answer positively.  (In light of Facebook’s naivete towards Platform privacy and security, I did not.)  The second question is interesting in light of Facebook’s shifts from more controlled/private to more open/public.  And as Bruce Schneier recently discussed in an essay on privacy salience, Facebook probably hopes most users fall into the “very open” category.

I certainly look forward to seeing the results of this survey if they’re released.

Instapaper Facebook Digg Twitter FriendFeed Delicious Yahoo Bookmarks Google Bookmarks

Listen to Scott Wright discussing Twitter security risks and tips on the Twooting podcast

Thanks to Ryan Levesque from Twooting.com for having me on the “Twooting” podcast.

“Twooting” is the term Ryan and his partner, Bo Bennett, have coined to describe the act of “talking about Twitter.”

In this 30 minute podcast episode, Ryan asks me about some of the major risks inherent in using Twitter, and we discuss some of the approaches and tips that can help mitigate them.

Click HERE to listen to the episode of Twooting.

If you are interested in learning about how to get the most out of Twitter, I recommend listening to Ryan and Bo in the Twooting podcast. You can also find them on Twitter at http://www.twitter.com/thepodcast.

I am now offering monthly briefings, tailored to organizations that want to build and sustain security awareness for staff. Just because your security team is too busy to do its own training and awareness doesn’t mean you can’t have an economical way to address human security risks. Please call or email me at the coordinates below…

Scott Wright

The Streetwise Security Coach

Join the Streetwise Security Zone at:
http://www.streetwise-security-zone.com/join.html

Phone: 1-613-693-0997
Email: scott@streetwise-security-zone.com
Twitter ID: http://www.twitter.com/streetsec

To receive weekly security tips and other notices about helpful content available on this site, please make sure you are on my list by clicking HERE, and entering your name and email address.

 

 

Site Meter

MoTB #23: TwitterCounter/TwitterRemote Reflected XSS vulnerabilities

What is TwitterCounter
“Just as TwitterCounter could be described as Feedburner for Twitter you could say that TwitterRemote is like MyBlogLog for Twitter. ” (TwitterCounter about page)

Twitter effect
TwitterCounter can be used to send new tweets and reply to other Twitter users.
TwitterCounter is using OAuth authentication method in order to utilize the Twitter API.

Popularity rate
Over 830,000 unique visitors per month (According to Compete) – 4 twits

1) Vulnerability: Reflected Cross-Site Scripting in the Country page.
Status: Unpatched.
Details: The TwitterCounter country page does not encode HTML entities in the “timezone” variable, which can allow the injection of scripts.
The vulnerability was also submitted, and publicly disclosed by d3v1l.
This vulnerability can be used by an attacker to send tweets on behalf of its victims.
Proof-of-Concept: http://twittercounter.com/pages/country?time_zone=XXX%22%3E%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E

2) Vulnerability: Reflected Cross-Site Scripting in the iframe.php page.
Status: Unpatched.
Details: The TwitterRemote iframe.php page does not encode HTML entities in the query variables, which can allow the injection of scripts.
This vulnerability can be used by an attacker to send tweets on behalf of its victims.
Proof-of-Concept: http://twittercounter.com/remote/iframe.php?username_owner=xxx&users_id=3351429&nr_show=6&hr_color=cccccc&a_color=709cb2&bg_color=;color:expression(alert(‘xss’))
Screenshot:

Vendor response rate
The vendor did not respond to any of the emails I sent during the past week – 0 twits.

MoTB #22: CSRF in StockTwits

What is StockTwits
“StockTwits is an open, community-powered idea and information service for investments. Users can eavesdrop on traders and investors, or contribute to the conversation and build their reputation as savvy market wizards. The service takes financial related data – using Twitter as the content production platform – and structures it by stock, user, reputation, etc.” (StockTwits about page)

Twitter affect
StockTwits can be used to send tweets and follow other Twitter users.
StockTwits is using OAuth authentication method in order to utilize the Twitter API.

Popularity rate
82nd place according to “The Museum of Modern Betas”. – 2 twit

Vulnerability: Cross-Site Request Forgery in the update JSON page.
Status: Patched.
Details: The StockTwits update JSON page did not use authenticity code in order to validate that the HTTP post is coming from the StockTwits web application.
Screenshots:

Vendor response rate
The vulnerability was fully fixed 22 hours after it has been reported. Excellent – 5 twits.

Another Top Facebook Application Falls to Hacking

I can’t emphasize this enough: As the Facebook Platform is currently setup, nearly any XSS vulnerability in an application allows my hack from last month (I may need a name for this thing soon) to succeed.

Tonight, after two hours of poking around various applications, I once again successfully used my hack to access profile information via an XSS hole in an FBML application.  This particular application has over 10 million monthly active users.  It also luckily prevents a clickjacking install, but with such wide reach, a relaunch of the hack would affect many users anyway.

If any technology news site wants a great story on the security of the Facebook Platform, please get in touch – I simply want to get the word out on this issue to raise user awareness.

Instapaper Facebook Digg Twitter FriendFeed Delicious Yahoo Bookmarks Google Bookmarks

MoTB #21: Multiple vulnerabilities in Ping.fm

What is Ping.fm
“Ping.fm is a simple and FREE service that makes updating your social networks a snap!” (Ping.fm home page)

Twitter affect
Ping.fm can be used to send tweets by sending them via their website, email, or SMS.
Ping.fm is using Username/Password authentication in order to utilize the Twitter API.

Popularity rate
8th place in the most used twitter clients – 4.5 twits

Vulnerabilities
1) Cross-Site Request Forgery in the SMS Phone No. Settings page.
Status: Patched.
Details: Ping.fm SMS phone number settings page did not use authenticity code in order to validate that the HTTP request POST is coming from the Ping.fm web application.
This could have been used by an attacker to send tweets on behalf of its victims, by simply sending an SMS to Ping.fm.

2) Reflected Cross-Site Scripting in the “Ping This!” page.
Status: Patched.
Details: The Ping.fm “Ping This!” page did not encode HTML entities in the “link” variable, which could have allowed the injection of scripts.
This vulnerability could have been used by an attacker to send tweets on behalf of its victims.
Proof-of-Concept: http://ping.fm/ref/?link=xxx%22+style=”color:expression(document.body.onload=function(){alert(‘XSS’)})
Screenshot:

Vendor response rate
The vulnerabilitles were fixed several hours after they have been reported. Excellent – 5 twits.

Social Zombies Invade Las Vegas!

zombieYes, you are reading the title of this post correctly!  Massive Zombie attacks at DefCon this year…bring your shotgun (we are kidding of course, please do not bring firearms to DefCon…you will make the goons very unhappy)!  Seriously though, Kevin Johnson and I will be presenting “Social Zombies: Your Friends Want to Eat Your Brains” at DefCon 17 in Las Vegas on Sunday, August 2nd at 4pm.

My part of the talk is focused on security and privacy concerns with social networks, fake accounts, using social networks for penetration testing and the proliferation of bots on social networks.  I will also be talking about a new version of Robin Wood’s fantastic “Twitterbot” (we actually have a new name for the tool which will be announced at DefCon).  I’ll be providing a live demo showing the new and improved features of his tool!  Big shoutout to Robin for all the work he did on this tool!

The other speaker is Kevin Johnson who you may know as the project lead for BASE and SamuraiWTF (Web Testing Framework).  Kevin is also a SANS instructor for Security 542 (Web App Penetration Testing and Ethical Hacking).  When he isnt managing projects and teaching he’s most likely abusing “playing with” social networks.  Kevin will be talking about SocialButterfly which is an application that can leverage and exploit various social network API’s.  He will also talk about manipulating social networks (and thier users) with third-party applications.  Remember: please accept any and all “friend requests” from Kevin Johnson! :-)

From our talk abstract:

In Social Zombies: Your Friends want to eat Your Brains, Tom Eston and Kevin Johnson explore the various concerns related to malware delivery through social network sites. Ignoring the FUD and confusion being sowed today, this presentation will examine the risks and then present tools that can be used to exploit these issues.

This presentation begins by discussing how social networks work and the various privacy and security concerns that are caused by the trust mass that is social networks. We use this privacy confusion to exploit members and their companies during our penetration tests.

The presentation then discusses typical botnets and bot programs. Both the delivery of this malware through social networks and the use of these social networks as command and control channels will be examined.

Tom and Kevin next explore the use of browser-based bots and their delivery through custom social network applications and content. This research expands upon previous work by researchers such as Wade Alcorn and GNUCitizen and takes it into new C&C directions.

Finally, the information available through the social network APIs is explored using the bot delivery applications. This allows for complete coverage of the targets and their information.

How did this talk come together?  Kevin and I had some past converations regarding social network bots (mostly from my Notacon 6 talk) and decided that much of our research was similar so it made sense to “combine forces” to work on some of this research together.  Also, by working on bots and socnet bot delivery mechinisms we hope to raise awareness about some of the security and privacy threats that are out there, not just for the users of social networks.  Oh, and we both like Zombies.  See you at DefCon!

Share and Enjoy


FacebookTwitterDeliciousDiggStumbleUponAdd to favoritesEmailRSS


Facebook Hack via FBML Application

I’d previously stated that I was confident I could relaunch my Facebook hack using an FBML application, but that I hadn’t worked out all the details.  Today, I successfully used an XSS hole in an FBML application to access profile information, just as I had done with canvas applications before.  I did so using an XSS vulnerability publicly published almost four months ago.

The particular application used this time always forwards new installs to the same URI, preventing me from using a clickjacking install to fully relaunch the attack page (though an added refresh may do the trick).  But it definitely proves the point that nearly any application with an XSS hole is vulnerable to this type of attack, including FBML applications.

For those who did not get to experience the hack when it was live, I’m including a screenshot of the results page for a fake Facebook profile.

Results page from Facebook attack under a fake profile.

Results page from Facebook attack under a fake profile.

Instapaper Facebook Digg Twitter FriendFeed Delicious Yahoo Bookmarks Google Bookmarks

1 26 27 28 29 30 35