Thursday, August 6, 2009

Facebook personal info leak vulnerability
- or -
How your identity can be compromised just by reading forum posts.



Update: The issue has now been resolved. I've written a full disclosure, but you should read this post first in order to follow it.

I've stumbled across a small security vulnerability in Facebook that, after some thought, turned out to be a way to launch a powerful and surprising attack.
The attack allows personal information including full name, profile picture, and friends list to leak to an eagerly awaiting hacker. The uniqueness of this attack, is that the unaware user's data may be stolen when she is surfing a legitimate, trusted site, not a site controlled by the attacker.

As a video is worth a thousand words, I've made one to show the proposed hack.
The video contains no artificial ingredients behind the scenes. It is completely “live” and was edited only for brevity.




What did I just see?
By merely viewing a forum page containing the rouge image, a user's personal information (full name, profile picture, and friends list) can be obtained by a hacker. It is not the image itself that does the trick. Instead, when the browser fetches the image, a chain-reaction starts that delivers these details to the hacker. The chain reaction ends with a valid image, which means that the unknowing user would not have a clue that anything out of the ordinary just happened.
In addition, note that a user's details are also at risk when one of his friends falls victim to this attack.

What can this be used for?
First off, it means your surfing anonymity is breached.
Any site you visit might contain the attacking image, and your identity is subsequently uncovered. Obviously, a malicious site owner may place the image in his site with the intention of launching the attack, but, as shown this is not the only case. In many sites such as forums and blogs, any passing user may be able to post the attacking image, via a comment for example, and steal the user's data as demonstrated in the video.
Imagine that someone could link your name and picture to all the web sites you visit, forums you read, and blogs you follow...
Furthermore, combined with another vulnerability that discovers your email address (any XSS will do) and you get spammer's paradise: A self-creating mailing list of people that are interested in any specific topic, by attacking relevant forums or web sites.

How does it work?
This hack only works if the user is logged on to Facebook during the attack. However, it is very common for users to have their Facebook page permanently open while doing other things. This, together with the vast amount of Facebook users, makes this attack a serious threat.
In the professional jargon, it falls under the category of CSRF attacks, which are very interesting and somewhat unintuitive. In a CSRF attack Evil Joe manages to trick your computer into performing actions on your behalf, without your knowledge or consent. Unlike classic attacks in which the hacker “breaks into” some computer to do his deed. While the potential damage of CSRF attacks is very severe, they are not generally well known by both users and web developers. Creating web sites that are not susceptible to them is tricky and requires special attention.
I've notified the Facebook security team about this issue, and it should hopefully be resolved soon.

Summary
From a technical point of view, I think this exploit is elegant and surprisingly powerful. So, I'll be sharing the details in a full disclosure, as soon as the threat is removed. If you're interested, check back soon, or follow.
In the meantime, I think that the mere existence of this attack should be an eye-opener to the surprising dangers lurking on the Web. It definitely was for me.

62 comments:

  1. Not being especially technical, I'm left wondering... if I open, rather than a new tab, another instance of the same browser... or a different browser while logged in... does that address the threat?

    BTW, thanks a lot for this!

    ReplyDelete
  2. Rich L, it very much depends on your choice of browser (IE7 works, IE8/FF/GC not), and how you open the new instance (ctrl+n not, running the exe yes but only for IE7, "New Session" in IE8 and "private browsing" for all the browsers also yes)...

    But since you said you're not very technical, I'll just let you know that you're USUALLY logged in ALL THE TIME anyway, even if your browser is not open - do you have to enter your password everytime you go to Facebook...?

    ReplyDelete
  3. Facebook hacking is spreading all over. The hackers can hack your personal information so be careful when you are not using your facebook than make sure you are logout from your profile.

    ReplyDelete
    Replies
    1. But innovation comes from people meeting up in the hallways or calling each other at 10:30 at night with a new idea, or because they realized something that shoots holes in how we've been thinking about a problem.
      Door Linings

      Delete
    2. Sometimes life hits you in the head with a brick. Don't lose faith.
      Security Shutters

      Delete
  4. Avid, thanks for sharing knowledge on this topic. appreciated

    ReplyDelete
    Replies
    1. No man succeeds without a good woman behind him. Wife or mother, if it is both, he is twice blessed indeed.
      Modafinil Online

      Delete
    2. Coming together is a beginning; keeping together is progress; working together is success.
      Personal Trainers Liverpool

      Delete
    3. Defeat is not the worst of failures. Not to have tried is the true failure.
      Glass Curtains Spain

      Delete
  5. Nice blog and I like that very much and want to share some thing about the site where you can found the much interesting thing about the facebook fans and twitters followers, If you are interested then visit the link.

    ReplyDelete
  6. Oh- I know alllll about this as I fell victim to it. Good post, but a little late for me.

    ReplyDelete
  7. nice sharing..this sharing will userfull for other safety while social

    ReplyDelete
  8. It seems these types of vulnerabilities are popping up more and more.

    ReplyDelete
  9. Please keep them future. Greets! This is a in fact fine read for me, Must come clean that you are being being of the best blogger.

    ReplyDelete
  10. Nice find with the exploit... glad it has been patched. Seems like there are so many security/privacy risk when you browse the web still logged in to facebook.

    ReplyDelete
  11. Well, it does a little confusing at this time. But maybe with this we can say it was a big chance to us to realize facebook is not a place to tell everything about our personal life.

    ReplyDelete
  12. People shouldn't put as much personal information on facebook.

    ReplyDelete
  13. Its really an informative post. Thanks for sharing your post..

    ReplyDelete
  14. As when i read your article, I found your blog quite informative. Thanks..

    ReplyDelete
  15. It definitely was for me. Yes, you are right.

    ReplyDelete
  16. This site is amazing awesome to me, I am being impressed by this great site.

    ReplyDelete
  17. Very informative and impressive post you have written, this is quite interesting
    and i have went through it completely, an upgraded information is shared, keep
    sharing such valuable information.

    ReplyDelete
  18. Every time I see a really good article I do one of three thing:1.Share it with my relevant friends.2.save it in all of the favorite bookmarking websites.3.Be sure to return to the site where I came accross the post.After reading this article I’m really thinking of doing all 3!

    ReplyDelete
  19. I think you did an awesome job explaining it. Sure beats having to research it on my own. Thanks

    ReplyDelete
  20. Noticed your website on del.icio.us today and really loved it.. i saved it and will be back to check it out some more later .. As a Noob, I am frequently seeking online for articles or blog posts that can help me. Thank you! With regards, Terina.

    ReplyDelete
    Replies
    1. The post is written in very a good manner and it entails many useful information for me. I am happy to find your distinguished way of writing the post.SEO Leeds

      Delete
  21. Fantastic blog! I actually love how it is easy on my eyes and also the data are well written. I am wondering how I could be notified whenever a new post has been made. I have subscribed to your rss feed which should do the trick! Have a nice day!

    ReplyDelete
  22. Hey there, I think your blog might be having browser compatibility issues. When I look at your blog in Firefox, it looks fine but when opening in Internet Explorer, it has some overlapping. I just wanted to give you a quick heads up! Other then that, superb blog!

    ReplyDelete
  23. Wholesale Cheap Sexy Lingerie, Halloween Costumes, Clubwear And Corsets Manufacturers From China Suppliers.
    Flapper Costumes
    Wholesale Sexy Clubwear
    Vintage Dresses

    ReplyDelete
  24. All articles are written by very intelligent people. And I want to share this with you. You must be mentioned here that has something for everyone.SEO Liverpool

    ReplyDelete
  25. Like the panos. Thanks for sharing the details

    ReplyDelete
  26. Thank you for another important article. Where else can you get this information in a comprehensive way of writing? It took me a week, and I am looking for information. Buy Facebook Fans

    ReplyDelete
  27. The Vintage Wholesale Company The Vintage Wholesale Company.Walson Rockabilly are a vintage wholesale company who focus on vintage fashion wholesale. WalsonRockabilly Vintage Clothing wholesalers are the UK's leading,Shop wholesale vintage dress, cheap silk dress, vintage jewelry products from reliable vintage dress wholesalers on walsonrockabilly and get worldwide,We know wholesale vintage clothing. We're the only vintage clothing wholesaler that knows what it's like to be in your shoes,because we run stores ourselves.Always Vintage is a Wholesale Vintage Clothing Distributor. We offer more than ninety different categories of vintage clothing for you to choose from.
    this links
    click this link
    walson rockabilly

    ReplyDelete
  28. Replies
    1. I found this post an educational one to glance. Thank you for broadening my knowledge on this aspect to groom up my skills here.White Label SEO

      Delete
  29. Very informative and impressive post you have written, this is quite interesting coursework writing help

    ReplyDelete
  30. I am interested in this topic and would like to find out more information through your upcoming posts. get assignment help

    ReplyDelete
  31. really great source of information for account safety
    university essay writers

    ReplyDelete
  32. This topic has always fascinated me. Thank you for writing an article that has great content and is well written. Well I am inspired by your writing style.Social Media Marketing Manchester

    ReplyDelete
  33. Very informative and impressive post you have written, this is quite interesting and i have went through it completely, an upgraded information is shared, keep sharing such valuable information. http://www.myleatherwear.com/

    ReplyDelete
  34. thank you for sharing great knowledge on this topic.
    paper writing

    ReplyDelete
  35. Your never posts are simply wonderful compared to your posts in the past.this post is full of inspiration. http://www.mycollegeessay.com/college-paper-for-sale/

    ReplyDelete
  36. Very informative and impressive post you have written.academic paper

    ReplyDelete
  37. This is a nice and informative, containing all information and also has a great impact on the new technology. Prozac Online

    ReplyDelete
  38. The Vintage Wholesale Company The Vintage Wholesale Company.Walson Rockabilly are a vintage wholesale company who focus on vintage fashion wholesale. WalsonRockabilly Vintage Clothing wholesalers are the UK's leading,Shop wholesale vintage dress, cheap silk dress, vintage jewelry products from reliable vintage dress wholesalers on walsonrockabilly and get worldwide,We know wholesale vintage clothing. We're the only vintage clothing wholesaler that knows what it's like to be in your shoes,because we run stores ourselves.Always Vintage is a Wholesale Vintage Clothing Distributor. We offer more than ninety different categories of vintage clothing for you to choose from.halloween costumes flapper
    roman costumes for women
    beer costume : German Wench Costume

    ReplyDelete
  39. very nice post . Facebook hacking is really spreading all over . hackers can stole your personal info . well described post .
    earn online

    ReplyDelete
  40. The hottest sexy Halloween costumes for 2014 from WholesaleLingerieX.com. we ship from our warehouse.Wholesale Sexy Costumes, Low Price Sexy Halloween Costumes From China Top Suppliers.
    sexy costumes Manufacturer
    Wholesale sexiest halloween costumes
    Wholesale sexiest womens costumes
    Wholesale sexiest costume
    Wholesale sexiest costumes for women

    ReplyDelete