Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: Facebook Exploits

  1. #1
    Senior Member
    Join Date
    May 2002
    Posts
    344

    Facebook Exploits

    Hey guys,

    Long time since I have posted on this site... I remember when I was a lot younger, I came here all the time and learned a lot. Anyways, I wrote a long paper about two vulnerable exploits I found on Facebook for a class of mine. The first exploit allows any user to log in as a user who had previously logged in, and the second exploit is that a user never logs out of Facebook. Facebook fixed one of the exploits (exploit #2), but hasn't yet fixed the first Anyways, I was hoping someone here would be able to take the time to read over my paper and give me suggestions. Thanks a lot!

    http://www.duke.edu/~jyw2/wwwsecurity.html

    btw, the Facebook stuff starts at the end of page 4, but I would like input on the rest of the paper as well!
    Support your right to arm bears.


    ^^This was the first video game which i played on an old win3.1 box

  2. #2
    Member d34dl0k1's Avatar
    Join Date
    Mar 2007
    Posts
    58
    The "vulnerability" is not specific to Facebook at all because what you are describing are network level attacks that will effect any site that doesn't operate over HTTPS entirely. You can do this with gmail, you can do this with hotmail, you can do this with antionline, you can do this just about anywhere because http is stateless and the only thing keeping a session together is a cookie. (steal cookie, steal session)

    Thus, this is a network exploit, not a problem with www. If you can't trust your network, you have much bigger problems than your fb profile anyways.

    I hope your professor didn't know that

  3. #3
    Senior Member
    Join Date
    May 2002
    Posts
    344
    First off, thank you very much for taking the time to read the paper. I really do appreciate your input. My friends and I talked a lot about what you mentioned above, and we all came to different conclusions as to what responsibility Facebook has. Personally, I don't think that all RPC-based web services are doomed for failure just because they do transmit cookie information via the HTTP header without using some level of encryption throughout their site. I believe that if web services just give up immediately and say, "oh, its not our fault, thats the way everyone does it!", then they are not focusing on securing their app. In my paper, I mentioned a technique to add additional layers of security to prevent such an attack. The first idea is to store some type of unique identifier when the session is first spawned, so the server has a better clue as to who the user is. By doing this, the server will be more "intelligent", and base access on more variables than just a session key.

    Any idea as to why sessions were not being destroyed? I noticed this when I was using a friend’s cookie credentials to take on his identity (of course he was in the room with me and we were both okay with what I was doing). I told him to log out, and noticed that even after he was logged out, I still had full access to the site! Is this just poor practice or is it justifiable? I tried the attack again before my final presentation, and noticed that Facebook had fixed the problem so I assume they want sessions destroyed when a user logs out…

    I personally dont think that an antionline account has as much to loose as a regular Facebook account does. Most Facebook users spend a TON of time on the site, and have private messages that they really want to keep private. I have not investigated the way gmail and other sites handle cookies and sessions (or if they take a RESTful approach to login), so I do not have the authority to make any claims. Has anyone been able to gain access to a gmail or yahoo account by performing some type of simple session stealing attack?

    Thanks again for reading! I know its long...
    Support your right to arm bears.


    ^^This was the first video game which i played on an old win3.1 box

  4. #4
    Member d34dl0k1's Avatar
    Join Date
    Mar 2007
    Posts
    58
    I believe that if web services just give up immediately and say, "oh, its not our fault, thats the way everyone does it!", then they are not focusing on securing their app. In my paper, I mentioned a technique to add additional layers of security to prevent such an attack.
    I can claim that X website is vulnerable to the "there's a virus on my computer" attack, when in fact all websites I visit become vulnerable. If someone can run away with my laptop, did they exploit the websites I saved my authentication in Firefox with? Again, If they put a keylogger on my machine, did they find a Facebook exploit? Of course not... so why would exploiting a vulnerability in the network have anything to do with the web application? (****, you could MITM their bank accounts and email if they were available, who cares about FB drama)

    You would have an argument if you had found attacks related to XSS, but both of your 'exploits' are in regard to malicious sniffing, and is a much more fundamental problem than anything regarding the web application. Your claims are correct in that they are real world attacks against a user of a website, but they are not web application exploits.

    So, yes, there are ways to improve upon this sort of situation. With access to the network, however, it will always be a game of catch up over HTTP.

    Knowing that the first problem was with the network, it made your "facebook exploits" title somewhat misleading. I was hoping you had found something juicy.

  5. #5
    Senior Member
    Join Date
    May 2002
    Posts
    344
    sorry to let you down in that case d34dl0k1

    You are a tough customer not to find this stuff juicy! Most of the time, it is the simple stuff that gets overlooked. I appreciate this isn’t an intricate hack, but it doesn’t have to be as long as it works. Take into account that there are tons of RPC based web services ARE secure even though they rely on sessions for authentication and do not transmit data via HTTPS. This is not an exploit that it allows individuals to gain root access to a Facebook server. Instead, this is an issue with Facebook’s architecture and the data they choose to transmit. By taking advantage of their system, users can easily gain full access to each other’s accounts. I completely see your point that this is a network exploit, but it is only exploitable because Facebook allows it to be. Because they put all of the information in a single area, it is easy to take advantage of. If they were to spread the load out, meaning store some information on their servers, and other information in a client’s cookie, they could create a much more secure service. You can have the attitude that because it is a network exploit, Facebook is not responsible. I however believe that developers should attempt to secure their service as much as possible. Facebook can implement several techniques to prevent users from attacking each other.

    This exploit is not solely related to sniffing attacks at all. In fact, in my paper i describe how a user can obtain the same kind of data using an XMLHttpRequest in a signed script. Also, the Mozilla browser suffered from a bug that allows scripts to violate the same site origin policy not long ago. I just pointed out that all a malicious hacker has to do is steal cookies to gain access to a users account. There are tons of ways to do this. Facebook expects a secure network connection, and a secure browser. If web developers rely on browser developers and IT engineers, and if browser developers and IT engineers rely on web developers, then the service will never be secure. I believe that Facebook needs to step up to the plate and do everything in their means to create a safer application.

    Facebook would use your argument in its defense. The fact that it is a network issue is not good enough however, since they do have the ability to protect against it. Vulnerable exploits are vulnerable exploits. It doesn’t matter how the attacker gets in, what matters is that the attacker got in. I appreciate your funny examples of physical attacks, but most companies take this sort of stuff very seriously. There is a reason why lots of collocations are locked down and have cameras all over.
    Last edited by White_Eskimo; May 7th, 2007 at 09:58 PM.
    Support your right to arm bears.


    ^^This was the first video game which i played on an old win3.1 box

  6. #6
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    We have had a similar discussion here recently. It was regarding e-mail services (Hotmail etc).

    Whilst the authentication may take place over a secure connection, the rest does not, so can be intercepted.

    A large part of the problem seems to be where the service does not recognise the user logging out, so the session remains open until some magic housekeeping process takes place

    In my opinion it is a fundamental session management issue, and is not restricted to FaceBook by any means.

    I would note that it seems to be prevalent amongst "free" services?


  7. #7
    Senior Member
    Join Date
    May 2002
    Posts
    344
    Quote Originally Posted by nihil
    A large part of the problem seems to be where the service does not recognise the user logging out, so the session remains open until some magic housekeeping process takes place

    In my opinion it is a fundamental session management issue, and is not restricted to FaceBook by any means.
    Facebook now properly destroys sessions, so that has been taken care of. I went to work and noticed that flickr also suffers from sessions stealing. Their hashing algorithm computes the same session key each time. The result is that if you gain access to a single packet containing a logged in user's session key, you can always log in as that user. My paper was about how Web 2.0 companies do not place emphasis on security and privacy, and choose to focus on incorporating new features. A malicious user can completely wipe out an innocent user's flickr account, or destroy a user's facebook profile or picture database. I really think companies need to do something about this. Sessions need to be made much more secure by storing unique information on the client side as well as the server side.
    Support your right to arm bears.


    ^^This was the first video game which i played on an old win3.1 box

  8. #8
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    The result is that if you gain access to a single packet containing a logged in user's session key, you can always log in as that user.
    That is a user security problem I would have thought. Why should the provider of a FREE SERVICE be expected to worry?

    Please remember that the majority of users of the internet are connecting in a way that is secure anyway. Unsecured wireless is not mandatory and networks are still largely corporate. Corporate networks are supposed to be secure and should not be used for these services anyway?

    The first question has to be, how did someone access the packets in the first place?

  9. #9
    Senior Member
    Join Date
    May 2002
    Posts
    344
    Quote Originally Posted by nihil
    That is a user security problem I would have thought. Why should the provider of a FREE SERVICE be expected to worry?

    Please remember that the majority of users of the internet are connecting in a way that is secure anyway. Unsecured wireless is not mandatory and networks are still largely corporate. Corporate networks are supposed to be secure and should not be used for these services anyway?

    The first question has to be, how did someone access the packets in the first place?
    Nihil, free or not, web 2.0 is based upon user generated content. If a user does not trust a service, they will not submit private content. If a user knows that anyone can easily obtain his/her credentials, then what is the point of a login?

    Accessing packets for malicious purposes is illegal as we all know. However, just because something is illegal doesnt mean that it is not done on a frequent basis. I agree that we should stop people from accessing packets as they travel along to their end destination, however I also believe that it is up to the service to protect themselves as best as possible. Imagine a jewlery shop with giant glass windows without an alarm system or bars anywheres. Smashing a window open to steal the goods inside is illegal, but it is very easy to do, and will probably happen sooner or later. We can only then hope that the bad guy is caught. I believe however that the jewlery store also has a responsibility to rely on additional protective measures to ensure that the bad guy cannot break in (alarms, bars, etc...). Facebook (and many other Web 2.0 sites) provide the bare minimum amount of security. Instead, they rely on the network and the browser to be secure. The UNIX philosophy is do one thing, and do it right. By relying on others to protect their service, you can bet that there will be several exploits.

    Web 2.0 sites will not change their security policy until users start making a fuss about the data they upload. Yes, Facebook and Flickr are free, but adding additional layers of security is not difficult and helps to build user trust.
    Support your right to arm bears.


    ^^This was the first video game which i played on an old win3.1 box

  10. #10
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Nihil, free or not, web 2.0 is based upon user generated content. If a user does not trust a service, they will not submit private content.
    I would imagine that the vast majority are not aware that there might be an issue.

    If a user knows that anyone can easily obtain his/her credentials, then what is the point of a login?
    But anyone cannot do that. For example this is a wired ADSL connection that will only work down my telephone line ........... how can you easily intercept my traffic and obtain my credentials?

    If the majority of people used wireless and/or a communal network such as in a school or college then there might be an issue, but this does not describe the majority of users. In that situation it is really a case of the environment being fundamentally insecure in the first instance.

    If a user does not trust a service, they will not submit private content.
    I would not have thought it was a good idea to submit private content anyway?

    You do have a point about assumptions being made. Many sites assume that you have a secure connection, because in the case of most private individuals that is probably true?

    They also assume that it is your responsibility to make sure that your system is secure.

    I would certainly accept criticism of sites for poor session management as that is just bad housekeeping. Most of the rest is really down to the user not understanding the insecurity of what they are doing.

    EDIT: I suppose you need to consider what these sites are about. They are supposed to be communities? I guess that when they were conceived nobody really thought about security because they didn't see them as potential targets for malicious people?

    The fact that they are personal in nature possibly led them to that conclusion.

    I don't know the details of how FP and Flickr work, but I would be curious to know if the cookie is still required after the session has been established? If it isn't, then deleting it would seem to be a solution.

    Otherwise only use these services in a discrete session and clear your cookies afterwards?

    http://antionline.com/showthread.php?t=274878

    That is the other thread about this sort of thing but relating to e-mail services
    Last edited by nihil; May 8th, 2007 at 09:05 AM.

Similar Threads

  1. Interior Aspects of exploits...
    By n01100110 in forum Newbie Security Questions
    Replies: 4
    Last Post: October 6th, 2005, 04:26 PM
  2. how to compile exploits
    By santoshp in forum Newbie Security Questions
    Replies: 17
    Last Post: April 30th, 2003, 09:13 PM
  3. MS Exploits
    By noODle in forum The Security Tutorials Forum
    Replies: 1
    Last Post: April 19th, 2003, 05:01 AM
  4. Defeating Exploits
    By tampabay420 in forum Miscellaneous Security Discussions
    Replies: 4
    Last Post: February 4th, 2003, 09:27 PM
  5. Exploits a little confusing
    By new b in forum Newbie Security Questions
    Replies: 7
    Last Post: February 5th, 2002, 07:00 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •