Thursday, August 6, 2009

Facebook personal info leak vulnerability
- or -
How your identity can be compromised just by reading forum posts.



Update: The issue has now been resolved. I've written a full disclosure, but you should read this post first in order to follow it.

I've stumbled across a small security vulnerability in Facebook that, after some thought, turned out to be a way to launch a powerful and surprising attack.
The attack allows personal information including full name, profile picture, and friends list to leak to an eagerly awaiting hacker. The uniqueness of this attack, is that the unaware user's data may be stolen when she is surfing a legitimate, trusted site, not a site controlled by the attacker.

As a video is worth a thousand words, I've made one to show the proposed hack.
The video contains no artificial ingredients behind the scenes. It is completely “live” and was edited only for brevity.





What did I just see?
By merely viewing a forum page containing the rouge image, a user's personal information (full name, profile picture, and friends list) can be obtained by a hacker. It is not the image itself that does the trick. Instead, when the browser fetches the image, a chain-reaction starts that delivers these details to the hacker. The chain reaction ends with a valid image, which means that the unknowing user would not have a clue that anything out of the ordinary just happened.
In addition, note that a user's details are also at risk when one of his friends falls victim to this attack.

What can this be used for?
First off, it means your surfing anonymity is breached.
Any site you visit might contain the attacking image, and your identity is subsequently uncovered. Obviously, a malicious site owner may place the image in his site with the intention of launching the attack, but, as shown this is not the only case. In many sites such as forums and blogs, any passing user may be able to post the attacking image, via a comment for example, and steal the user's data as demonstrated in the video.
Imagine that someone could link your name and picture to all the web sites you visit, forums you read, and blogs you follow...
Furthermore, combined with another vulnerability that discovers your email address (any XSS will do) and you get spammer's paradise: A self-creating mailing list of people that are interested in any specific topic, by attacking relevant forums or web sites.

How does it work?
This hack only works if the user is logged on to Facebook during the attack. However, it is very common for users to have their Facebook page permanently open while doing other things. This, together with the vast amount of Facebook users, makes this attack a serious threat.
In the professional jargon, it falls under the category of CSRF attacks, which are very interesting and somewhat unintuitive. In a CSRF attack Evil Joe manages to trick your computer into performing actions on your behalf, without your knowledge or consent. Unlike classic attacks in which the hacker “breaks into” some computer to do his deed. While the potential damage of CSRF attacks is very severe, they are not generally well known by both users and web developers. Creating web sites that are not susceptible to them is tricky and requires special attention.
I've notified the Facebook security team about this issue, and it should hopefully be resolved soon.

Summary
From a technical point of view, I think this exploit is elegant and surprisingly powerful. So, I'll be sharing the details in a full disclosure, as soon as the threat is removed. If you're interested, check back soon, or follow.
In the meantime, I think that the mere existence of this attack should be an eye-opener to the surprising dangers lurking on the Web. It definitely was for me.

22 comments:

  1. KmiloAug 20, 2009 08:49 AM
    Nice video ;)
    ReplyDelete
  2. AnonymousAug 21, 2009 08:02 AM
    excelente !!.
    ReplyDelete
  3. Rich LAug 21, 2009 03:05 PM
    Not being especially technical, I'm left wondering... if I open, rather than a new tab, another instance of the same browser... or a different browser while logged in... does that address the threat?

    BTW, thanks a lot for this!
    ReplyDelete
  4. AnonymousAug 23, 2009 09:38 AM
    so fake :)
    ReplyDelete
  5. AviDAug 26, 2009 02:18 PM
    Rich L, it very much depends on your choice of browser (IE7 works, IE8/FF/GC not), and how you open the new instance (ctrl+n not, running the exe yes but only for IE7, "New Session" in IE8 and "private browsing" for all the browsers also yes)...

    But since you said you're not very technical, I'll just let you know that you're USUALLY logged in ALL THE TIME anyway, even if your browser is not open - do you have to enter your password everytime you go to Facebook...?
    ReplyDelete
  6. hdmi splitterSep 24, 2009 01:49 AM
    Facebook hacking is spreading all over. The hackers can hack your personal information so be careful when you are not using your facebook than make sure you are logout from your profile.
    ReplyDelete
  7. rarandy21Jul 20, 2010 09:33 PM
    i s fake video nad gay
    ReplyDelete
  8. stian listbuildingAug 18, 2010 04:37 PM
    Avid, thanks for sharing knowledge on this topic. appreciated
    ReplyDelete
  9. rahulNov 8, 2010 06:34 AM
    nice blog post
    ReplyDelete
  10. Buy twitter followersMar 14, 2011 12:14 PM
    Nice blog and I like that very much and want to share some thing about the site where you can found the much interesting thing about the facebook fans and twitters followers, If you are interested then visit the link.
    ReplyDelete
  11. Anonymous EmailMar 19, 2011 07:18 PM
    Oh- I know alllll about this as I fell victim to it. Good post, but a little late for me.
    ReplyDelete
  12. Anatomy And Physiology CourseMay 19, 2011 08:28 PM
    nice sharing..this sharing will userfull for other safety while social
    ReplyDelete
  13. Dental CostJul 16, 2011 12:23 PM
    It seems these types of vulnerabilities are popping up more and more.
    ReplyDelete
  14. osternwilJul 18, 2011 05:00 AM
    I like this blog so much. Respctive blog it is for the all world famous fashion models. Really here is an amazing sharing you have done. Thanks for sharing this post so much. Congratulation. Thanks...
    zak³ady bukmacherskie
    zak³ady sportowe
    Stop Sweating and Start Living
    bukmacherzy
    ReplyDelete
  15. ralph laurenJul 25, 2011 05:27 PM
    Thanks for the post.
    ReplyDelete
  16. Birthday MessagesAug 10, 2011 10:55 PM
    If you are paying attention, but this is my duty to inform you that virtual administrative helper a very devoted service and can be practical anywhere you want and get improved results.
    ReplyDelete
  17. iPad 3Aug 11, 2011 05:05 AM
    nice topic
    ReplyDelete
  18. Diwali Greeting SmsSep 8, 2011 04:39 AM
    Please keep them future. Greets! This is a in fact fine read for me, Must come clean that you are being being of the best blogger.
    ReplyDelete
  19. buy trafficSep 15, 2011 01:28 AM
    Not being especially technical, I'm left wondering... if I open, rather than a new tab, another instance of the same browser... or a different browser while logged in... does that address the threat?

    BTW, thanks a lot for this!
    buy traffic
    buy web traffic
    ReplyDelete
  20. pinkeyeSep 27, 2011 05:15 PM
    BTW, thanks a lot for this!
    ReplyDelete
  21. hack facebookOct 20, 2011 06:41 PM
    Nice find with the exploit... glad it has been patched. Seems like there are so many security/privacy risk when you browse the web still logged in to facebook.
    ReplyDelete
  22. kimnellen2587Oct 28, 2011 10:10 AM
    Please keep them future. Greets! This is a in fact fine read for me, Must come clean that you are being being of the best blogger.
    Mobil Apps
    ReplyDelete