I’ve demonstrated countless times over the past year that cross-site scripting vulnerabilities in Facebook applications can be exploited to make Facebook API requests on behalf of the application. This type of attack, which I called a FAXX hack, enables one to not only post links to Facebook for viral effects but also harvest a wealth of information on victimized users along the way, such as name, date of birth, interests, family members, photos, and so on. However, contact information lay outside the scope of available data.
Until now. Facebook has launched a new Platform feature that enables developers to request e-mail addresses from their users. An unfortunate side effect of this behavior is that Facebook applications have now become more promising targets for online attacks.
Over time, it’s likely that popular applications will routinely request e-mail addresses from users, meaning eventually certain applications could have millions of addresses saved. (Note that Facebook allows developers to store e-mail addresses indefinitely under this new setup.) One SQL injection hole could potentially compromise all of those e-mail addresses. Also, if the application had an XSS vulnerability, one could easily launch a FAXX attack that requests e-mail addresses from Facebook via FQL.
This certainly all depends on several factors, one being whether many users embrace sharing their e-mail addresses with applications. Some may question whether finding an exploitable vulnerability in a popular application would be likely, but based on last year’s Month of Facebook Bugs, I think the odds are not encouraging.
My recommendation to users would be against letting applications have your e-mail address; Facebook does provide a proxy system if you really want messages. But I do hope this new feature will bring more attention to issues of security on the Facebook Platform.
Share with your friends!