Thursday, August 6, 2009

Facebook personal info leak vulnerability
- or -
How your identity can be compromised just by reading forum posts.

Update: The issue has now been resolved. I've written a full disclosure, but you should read this post first in order to follow it.

I've stumbled across a small security vulnerability in Facebook that, after some thought, turned out to be a way to launch a powerful and surprising attack.
The attack allows personal information including full name, profile picture, and friends list to leak to an eagerly awaiting hacker. The uniqueness of this attack, is that the unaware user's data may be stolen when she is surfing a legitimate, trusted site, not a site controlled by the attacker.

As a video is worth a thousand words, I've made one to show the proposed hack.
The video contains no artificial ingredients behind the scenes. It is completely “live” and was edited only for brevity.

What did I just see?
By merely viewing a forum page containing the rouge image, a user's personal information (full name, profile picture, and friends list) can be obtained by a hacker. It is not the image itself that does the trick. Instead, when the browser fetches the image, a chain-reaction starts that delivers these details to the hacker. The chain reaction ends with a valid image, which means that the unknowing user would not have a clue that anything out of the ordinary just happened.
In addition, note that a user's details are also at risk when one of his friends falls victim to this attack.

What can this be used for?
First off, it means your surfing anonymity is breached.
Any site you visit might contain the attacking image, and your identity is subsequently uncovered. Obviously, a malicious site owner may place the image in his site with the intention of launching the attack, but, as shown this is not the only case. In many sites such as forums and blogs, any passing user may be able to post the attacking image, via a comment for example, and steal the user's data as demonstrated in the video.
Imagine that someone could link your name and picture to all the web sites you visit, forums you read, and blogs you follow...
Furthermore, combined with another vulnerability that discovers your email address (any XSS will do) and you get spammer's paradise: A self-creating mailing list of people that are interested in any specific topic, by attacking relevant forums or web sites.

How does it work?
This hack only works if the user is logged on to Facebook during the attack. However, it is very common for users to have their Facebook page permanently open while doing other things. This, together with the vast amount of Facebook users, makes this attack a serious threat.
In the professional jargon, it falls under the category of CSRF attacks, which are very interesting and somewhat unintuitive. In a CSRF attack Evil Joe manages to trick your computer into performing actions on your behalf, without your knowledge or consent. Unlike classic attacks in which the hacker “breaks into” some computer to do his deed. While the potential damage of CSRF attacks is very severe, they are not generally well known by both users and web developers. Creating web sites that are not susceptible to them is tricky and requires special attention.
I've notified the Facebook security team about this issue, and it should hopefully be resolved soon.

From a technical point of view, I think this exploit is elegant and surprisingly powerful. So, I'll be sharing the details in a full disclosure, as soon as the threat is removed. If you're interested, check back soon, or follow.
In the meantime, I think that the mere existence of this attack should be an eye-opener to the surprising dangers lurking on the Web. It definitely was for me.


  1. Not being especially technical, I'm left wondering... if I open, rather than a new tab, another instance of the same browser... or a different browser while logged in... does that address the threat?

    BTW, thanks a lot for this!

  2. Rich L, it very much depends on your choice of browser (IE7 works, IE8/FF/GC not), and how you open the new instance (ctrl+n not, running the exe yes but only for IE7, "New Session" in IE8 and "private browsing" for all the browsers also yes)...

    But since you said you're not very technical, I'll just let you know that you're USUALLY logged in ALL THE TIME anyway, even if your browser is not open - do you have to enter your password everytime you go to Facebook...?

  3. Facebook hacking is spreading all over. The hackers can hack your personal information so be careful when you are not using your facebook than make sure you are logout from your profile.

  4. Avid, thanks for sharing knowledge on this topic. appreciated

  5. Nice blog and I like that very much and want to share some thing about the site where you can found the much interesting thing about the facebook fans and twitters followers, If you are interested then visit the link.

  6. Oh- I know alllll about this as I fell victim to it. Good post, but a little late for me.

  7. nice sharing..this sharing will userfull for other safety while social

  8. It seems these types of vulnerabilities are popping up more and more.

  9. Please keep them future. Greets! This is a in fact fine read for me, Must come clean that you are being being of the best blogger.

  10. Nice find with the exploit... glad it has been patched. Seems like there are so many security/privacy risk when you browse the web still logged in to facebook.

  11. Well, it does a little confusing at this time. But maybe with this we can say it was a big chance to us to realize facebook is not a place to tell everything about our personal life.

  12. People shouldn't put as much personal information on facebook.

  13. Its really an informative post. Thanks for sharing your post..

  14. As when i read your article, I found your blog quite informative. Thanks..

  15. It definitely was for me. Yes, you are right.

  16. This site is amazing awesome to me, I am being impressed by this great site.

  17. Very informative and impressive post you have written, this is quite interesting
    and i have went through it completely, an upgraded information is shared, keep
    sharing such valuable information.

  18. Every time I see a really good article I do one of three thing:1.Share it with my relevant it in all of the favorite bookmarking websites.3.Be sure to return to the site where I came accross the post.After reading this article I’m really thinking of doing all 3!

  19. I think you did an awesome job explaining it. Sure beats having to research it on my own. Thanks

  20. Noticed your website on today and really loved it.. i saved it and will be back to check it out some more later .. As a Noob, I am frequently seeking online for articles or blog posts that can help me. Thank you! With regards, Terina.

    1. The post is written in very a good manner and it entails many useful information for me. I am happy to find your distinguished way of writing the post.SEO Leeds

  21. Fantastic blog! I actually love how it is easy on my eyes and also the data are well written. I am wondering how I could be notified whenever a new post has been made. I have subscribed to your rss feed which should do the trick! Have a nice day!

  22. Hey there, I think your blog might be having browser compatibility issues. When I look at your blog in Firefox, it looks fine but when opening in Internet Explorer, it has some overlapping. I just wanted to give you a quick heads up! Other then that, superb blog!

  23. Wholesale Cheap Sexy Lingerie, Halloween Costumes, Clubwear And Corsets Manufacturers From China Suppliers.
    Flapper Costumes
    Wholesale Sexy Clubwear
    Vintage Dresses

  24. All articles are written by very intelligent people. And I want to share this with you. You must be mentioned here that has something for everyone.SEO Liverpool

  25. Like the panos. Thanks for sharing the details

  26. Thank you for another important article. Where else can you get this information in a comprehensive way of writing? It took me a week, and I am looking for information. Buy Facebook Fans

  27. The Vintage Wholesale Company The Vintage Wholesale Company.Walson Rockabilly are a vintage wholesale company who focus on vintage fashion wholesale. WalsonRockabilly Vintage Clothing wholesalers are the UK's leading,Shop wholesale vintage dress, cheap silk dress, vintage jewelry products from reliable vintage dress wholesalers on walsonrockabilly and get worldwide,We know wholesale vintage clothing. We're the only vintage clothing wholesaler that knows what it's like to be in your shoes,because we run stores ourselves.Always Vintage is a Wholesale Vintage Clothing Distributor. We offer more than ninety different categories of vintage clothing for you to choose from.
    this links
    click this link
    walson rockabilly