The Limits of Application Privacy Limits

One issue I have not discussed much previously is how much of your data an application can access via a friend’s session.  I and others have had to sort through some confusion on this topic, and I appreciate recent work by Ian Glazer to clear things up.  As you can see from my comments on Glazer’s second post about his Privacy Mirror, I did not fully understand how things worked until Glazer posted his more detailed explanation of his findings:

It shouldn’t take a few hundred lines of PHP, three debuggers, and an engineering degree to figure out how privacy controls work. This lack of clarity robs Facebook users of the opportunity to make meaningful and informed choices about their privacy.

What Glazer found is that when a user restricts how much profile data is available to applications through friend’s sessions, those restrictions only apply if the user does not also authorize the application.  Once you install an application, all of your data is available in any friend’s session (subject to profile restrictions).

In Facebook’s defense, they do technically say this on the application privacy settings page, though I think it could be made more clear.  I certainly didn’t comprehend all the ramifications at first:

When a friend of yours allows an application to access their information, that application may also access any information about you that your friend can already see….

You can use the controls on this page to limit what types of information your friends can see about you through applications. Please note that this is only for applications you do not use yourself…

One could easily argue that this is a case of incompetence on my part for not making sense of what Facebook said, but I know that other security researchers have also missed some of these caveats or didn’t put them all together.

As Glazer points out, Facebook provides an easy way to tell how much information a friend can access via your profile, but provides no simple way for letting you know how much data applications can access.  Apparently, though, the answer is rather simple, since besides a few special cases, an application still basically has full access.

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

MoTB #27: Reflected XSS in Posterous

What is Posterous
“We love sharing thoughts, photos, audio, and files with our friends and family, but we didn’t like how hard it was… so we made a better way. That’s posterous. ” (Posterous about page)

Twitter effect
Posterous can be used to send tweets by sending posts via email, or posting comments on existing posts.
Posterous is using OAuth authentication method in order to utilize the Twitter API.

Popularity rate
25th place in the most used twitter clients list, accordint to “TwitStat” – 3.5 twits

Vulnerability: Reflected Cross-Site in the Search page.
Status: Patched.
Details: The Posterous search page did not encode HTML entities in the “search” variable, which could have allowed the injection of scripts.
This vulnerability could have been used by an attacker to send tweets on behalf of its victims.
Proof-of-Concepts: http://avivra.posterous.com/?sort=bestmatch&search=testing%22%3E%3Cscript%3Ealert%28%22xss%22%29%3B%3C%2Fscript%3E
http://posterous.com/explore/?search=xxx%22%3E%3Cscript%3Ealert%28%2Fxss%2F%29%3B%3C%2Fscript%3E
Screenshots:

Vendor response rate
The vulnerability was fixed 12 hours after it has been reported. Excellent – 5 twits.

MoTB #26: Reflected XSS in Tweeple Pages

What is Tweeple Pages
“Tweeple Pages is a user powered directory of Twitter users organized by their interests. Simply allow the Tweeple Pages application access and you can start discovering other users with similar interests as you!” (Tweeple Pages about page)

Twitter effect
Tweeple Pages can be used to follow and unfollow other twitter users.TweeTube is using OAuth authentication method in order to utilize the Twitter API.

Popularity rate
Not a very popular alternative to twellow, wefollow, and other Twitter categorization services – 0.5 twits

Vulnerability: Reflected Cross-Site in the Search page.
Status: Unpatched.
Details: The Tweeple Pages search page does not encode HTML entities in the “q” variable, which can allow the injection of scripts.
This vulnerability can be used by an attacker to send tweets on behalf of its victims.
Proof-of-Concept: http://tweeplepages.com/search.php?q=%3Cscript%3Ealert(%22xss%22)%3C/script%3E
Screenshot:

Vendor response rate
The vendor did not respond to any of the emails I sent during the past week – 0 twits.

MoTB #25: CSRF+XSS vulnerabilities in TwitStat

What is TwitStat
TwitStat provides a mobile web interface for Twitter.

Twitter effect
TwitStat can be used to send tweets, direct messages and follow/unfollow other Twitter users.
TwitStat is using Username/Password authentication in order to utilize the Twitter API.

Popularity rate
30th place in the most used twitter clients list, according to “TwitStat” – 3 twits

Vulnerabilities:
1) Cross-Site Request Forgery in main update page
Status: Patched.
Details: The TwitStat index.php web page did not use authenticity code in order to validate that the HTTP post is coming from the TwitStat web application.
This vulnerability could have been used by an attacker to send tweets on behalf of its victims.

2) Reflected POST Cross-Site in the Search page.
Status: Patched.
Details: The TwitStat search page did not encode HTML entities in the “terms” form field, which could have allowed the injection of scripts.
This vulnerability could have been used by an attacker to automatically send tweets, direct messages or follow/unfollow other twitter users on behalf of the victims.
Proof-of-Concept: http://www.twitstat.com/m/index.php?mode=search&terms=xxx%22%3E%3Cscript%3Ealert%28%22xss%22%29%3C%2Fscript%3E
Screenshot:

Vendor response rate
The vulnerabilities were fixed 5 days after they have been reported. Moderate – 3 twits.

Debunking Facebook’s Statements on Ads

I never want to come across to harshly when talking about Facebook; I honestly believe they want to protect user privacy and security.  But while Facebook continues to hone and publicize the privacy controls in their own features, they seem to ignore major issues with Facebook applications.  Some might argue that applications are not under Facebook’s control, but this ignores changes Facebook could make which would help protect users.  I can only think that Facebook does not want to risk alienating developers any further.

In turn, many developers seem to shift responsibility to end users.  Recently I read back over coverage from ReadWriteWeb and the BBC on rogue Facebook applications, along with a discussion on Facebook’s developer forum.  While the reports admittedly included sensationalist elements, I was surprised to see commenters taking the position that rogue applications weren’t a problem, since users authorize applications to access their profile data.  In essence, if an application steals data, it’s the user’s fault for letting it.

This perspective fails to take into account the average user’s understanding of how applications access and share data, not to mention how little control a user has over applications.  And most users would probably be shocked by how even mainstream applications make use of profile information to target advertisements.  Many of these applications and advertising networks again take a hands-off approach, noting that a user could opt out of such programs.  But what are the chances of a user even realizing this, much less taking the time to figure out how?

Advertising in applications made a few headlines this weekend, after a message on user privacy made the rounds on Facebook.  The message did not actually address application ads, but in a statement on the message, Facebook deflected attention from their own ads to talk about application ads, and painted a rather rosy picture of user privacy on the Platform.  I respectfully disagree with their assessment.

First, let’s clarify: the original viral message on profile pictures in ads pointed to an actual privacy setting which controls whether your profile picture appears in Facebook Ads.  This was never about the application ad networks Facebook brought up in their statement.

Second, consider why Facebook banned SocialHour and SocialReach.  From what I understood at the time, Facebook had a problem with the ads falsely implying that friends had taken certain actions (e.g. taking a quiz).  Facebook did not seem to address the issue of profile pictures being used in the advertisements, and the practice has continued on many advertising networks to this day.

I was honestly rather surprised by Facebook’s statement, since it seemed to imply that all was well with application advertising.  I then became shocked when I read the update Nick O’Neill posted after digging for more information:

I’ve spoken to Facebook and they’ve made some relatively strong statements, the most important of which was that ad networks “need permission from the owner of whatever photo they use.” That means unless an ad network asked for permission to use your image, they can’t use it. Additionally, here are the policies that are applicable according to Facebook:

  • The data section of the platform guidelines indicates that just because a developer gets access to user data doesn’t mean that they can use it
  • Developers are not allowed to pass user data they get from FB to ad networks.
  • Apps cannot break the law, and there are rights of publicity issues that come into play here. Facebook is granted permission in the terms to use a user’s photo in an ad but this permission does not extend to developers or ad networks.
  • Not doing anything misleading (indicating a user has taken a quiz when they haven’t is misleading)

Seriously?  Seriously? It doesn’t take long to realize how flagrantly these guidelines are being ignored:

  1. Many application ad networks use the profile pictures of users and their friends.
  2. Application ad networks routinely access loads of profile data from users and their friends.  This information is often processed client-side and not sent back to the ad network servers, but you’d probably be stunned at just how much data is sifted through.
  3. User data is routinely sent back to application ad networks.  I can cite several examples of this, but I hadn’t brought them up sooner as I’ve been working on sorting through them and gathering records of what happens.  I did mention one example over a month ago on this very blog, yet the methods of that particular ad network have not changed at all in the mean time, nor has Facebook taken any action against them.
  4. The session secret of an application is routinely passed on to application ad networks.  This enables the ad network server to make requests to Facebook via the API and access user data.  Regardless of whether such action happens (and it does, by the way), an application should never share its session secret with outside web sites.  In several cases, the session secret is inadverently recorded by Google Analytics – and that includes ad network Analytics accounts.

As an example of ad networks accessing user data, remember SocialReach?  This very moment, one application with over 10 million monthly active users is serving SocialReach ads scripts which make Facebook API requests from the SocialReach web site.  These are the same FQL queries SocialReach made prior to Facebook banning it a while back. Update: On further investigation, it appears the SocialReach code operates client-side, though the session secret is still passed on to SocialReach and the code does make API requests.

As I said, I’ve been planning to talk more about this, but was still working on putting everything together and making further investigations.  With the sudden press about application advertising, I figured I should go ahead and at least note how badly reality differs from what Facebook seems to be trying to portray.  If news sites want proof or more specifics on the problems I’ve described, feel free to get in touch.

Part of what leaves me bewildered is that if I can uncover so many problems in my research, how does Facebook not notice them?  Some of these issues are even occurring in Facebook Verified Applications.  I simply don’t understand how Facebook can make the kinds of statements AllFacebook published in light of all the obvious issues still present.

Instapaper Facebook Digg Twitter FriendFeed Delicious Yahoo Bookmarks Google Bookmarks

MoTB #24: Reflected XSS in TweeTube

What is TweeTube
“TweeTube was started in January 2009 after identifying a need for an easy way to share YouTube videos among your Twitter followers. We since grew to allow users to share different stuff like pictures, webcam recordings, website urls and much more to come.” (TweeTube about page)

Twitter effect
TweeTube can be used to send tweets by uploading new videos/photos, sending them via email, or posting comments on existing videos/photos.
TweeTube is using Username/Password authentication in order to utilize the Twitter API.

Popularity rate
Not a very popular alternative to yfrog, twitpic and other Video or Photo sharing services – 0.5 twits

Vulnerability: Reflected Cross-Site in the Search page.
Status: Unpatched.
Details: The TweeTube search page does not encode HTML entities in the “q” variable, which can allow the injection of scripts.
This vulnerability can be used by an attacker to send tweets on behalf of its victims.
Proof-of-Concept: http://www.tweetube.com/search?q=%3Cscript%3Ealert(%22xss%22)%3C/script%3E
Screenshot:

Vendor response rate
The vendor did not respond to any of the emails I sent during the past week – 0 twits.

Facebook Polling Users About Privacy

I just completed an interesting two-question survey via an official link on Facebook.  The poll first asked to what extent, on a five-point scale from “completely disagree” to “completely agree,” I agreed with this statement: “Facebook cares about its users’ privacy and security.”  Next, Facebook asked if I would describe myself as:

  • Very open – I wouldn’t mind if everyone could see all of the information I share on Facebook
  • In between – I don’t mind if everyone can see some of my information, but certain information I only want to share with my close friends or family
  • Private – I only share things with people I know

The survey came from the Facebook Research Team.  I’m guessing the first question is not only to gauge people’s image of Facebook but a statistic to trumpet if most users answer positively.  (In light of Facebook’s naivete towards Platform privacy and security, I did not.)  The second question is interesting in light of Facebook’s shifts from more controlled/private to more open/public.  And as Bruce Schneier recently discussed in an essay on privacy salience, Facebook probably hopes most users fall into the “very open” category.

I certainly look forward to seeing the results of this survey if they’re released.

Instapaper Facebook Digg Twitter FriendFeed Delicious Yahoo Bookmarks Google Bookmarks

Listen to Scott Wright discussing Twitter security risks and tips on the Twooting podcast

Thanks to Ryan Levesque from Twooting.com for having me on the “Twooting” podcast.

“Twooting” is the term Ryan and his partner, Bo Bennett, have coined to describe the act of “talking about Twitter.”

In this 30 minute podcast episode, Ryan asks me about some of the major risks inherent in using Twitter, and we discuss some of the approaches and tips that can help mitigate them.

Click HERE to listen to the episode of Twooting.

If you are interested in learning about how to get the most out of Twitter, I recommend listening to Ryan and Bo in the Twooting podcast. You can also find them on Twitter at http://www.twitter.com/thepodcast.

I am now offering monthly briefings, tailored to organizations that want to build and sustain security awareness for staff. Just because your security team is too busy to do its own training and awareness doesn’t mean you can’t have an economical way to address human security risks. Please call or email me at the coordinates below…

Scott Wright

The Streetwise Security Coach

Join the Streetwise Security Zone at:
http://www.streetwise-security-zone.com/join.html

Phone: 1-613-693-0997
Email: scott@streetwise-security-zone.com
Twitter ID: http://www.twitter.com/streetsec

To receive weekly security tips and other notices about helpful content available on this site, please make sure you are on my list by clicking HERE, and entering your name and email address.

 

 

Site Meter

1 20 21 22 23 24 29