Facebook Exploits

[White_Eskimo]

A large part of the problem seems to be where the service does not recognise the user logging out, so the session remains open until some magic housekeeping process takes place

In my opinion it is a fundamental session management issue, and is not restricted to FaceBook by any means.

Facebook now properly destroys sessions, so that has been taken care of. I went to work and noticed that flickr also suffers from sessions stealing. Their hashing algorithm computes the same session key each time. The result is that if you gain access to a single packet containing a logged in user's session key, you can always log in as that user. My paper was about how Web 2.0 companies do not place emphasis on security and privacy, and choose to focus on incorporating new features. A malicious user can completely wipe out an innocent user's flickr account, or destroy a user's facebook profile or picture database. I really think companies need to do something about this. Sessions need to be made much more secure by storing unique information on the client side as well as the server side.

[nihil]

The result is that if you gain access to a single packet containing a logged in user's session key, you can always log in as that user.

That is a user security problem I would have thought. Why should the provider of a FREE SERVICE be expected to worry?

Please remember that the majority of users of the internet are connecting in a way that is secure anyway. Unsecured wireless is not mandatory and networks are still largely corporate. Corporate networks are supposed to be secure and should not be used for these services anyway?

The first question has to be, how did someone access the packets in the first place?

[White_Eskimo]

That is a user security problem I would have thought. Why should the provider of a FREE SERVICE be expected to worry?

Please remember that the majority of users of the internet are connecting in a way that is secure anyway. Unsecured wireless is not mandatory and networks are still largely corporate. Corporate networks are supposed to be secure and should not be used for these services anyway?

The first question has to be, how did someone access the packets in the first place?

Nihil, free or not, web 2.0 is based upon user generated content. If a user does not trust a service, they will not submit private content. If a user knows that anyone can easily obtain his/her credentials, then what is the point of a login?

Accessing packets for malicious purposes is illegal as we all know. However, just because something is illegal doesnt mean that it is not done on a frequent basis. I agree that we should stop people from accessing packets as they travel along to their end destination, however I also believe that it is up to the service to protect themselves as best as possible. Imagine a jewlery shop with giant glass windows without an alarm system or bars anywheres. Smashing a window open to steal the goods inside is illegal, but it is very easy to do, and will probably happen sooner or later. We can only then hope that the bad guy is caught. I believe however that the jewlery store also has a responsibility to rely on additional protective measures to ensure that the bad guy cannot break in (alarms, bars, etc...). Facebook (and many other Web 2.0 sites) provide the bare minimum amount of security. Instead, they rely on the network and the browser to be secure. The UNIX philosophy is do one thing, and do it right. By relying on others to protect their service, you can bet that there will be several exploits.

Web 2.0 sites will not change their security policy until users start making a fuss about the data they upload. Yes, Facebook and Flickr are free, but adding additional layers of security is not difficult and helps to build user trust.

[nihil]

Nihil, free or not, web 2.0 is based upon user generated content. If a user does not trust a service, they will not submit private content.

I would imagine that the vast majority are not aware that there might be an issue.

If a user knows that anyone can easily obtain his/her credentials, then what is the point of a login?

But anyone cannot do that. For example this is a wired ADSL connection that will only work down my telephone line ........... how can you easily intercept my traffic and obtain my credentials?

If the majority of people used wireless and/or a communal network such as in a school or college then there might be an issue, but this does not describe the majority of users. In that situation it is really a case of the environment being fundamentally insecure in the first instance.

If a user does not trust a service, they will not submit private content.

I would not have thought it was a good idea to submit private content anyway?

You do have a point about assumptions being made. Many sites assume that you have a secure connection, because in the case of most private individuals that is probably true?

They also assume that it is your responsibility to make sure that your system is secure.

I would certainly accept criticism of sites for poor session management as that is just bad housekeeping. Most of the rest is really down to the user not understanding the insecurity of what they are doing.

EDIT: I suppose you need to consider what these sites are about. They are supposed to be communities? I guess that when they were conceived nobody really thought about security because they didn't see them as potential targets for malicious people?

The fact that they are personal in nature possibly led them to that conclusion.

I don't know the details of how FP and Flickr work, but I would be curious to know if the cookie is still required after the session has been established? If it isn't, then deleting it would seem to be a solution.

Otherwise only use these services in a discrete session and clear your cookies afterwards?

http://antionline.com/showthread.php?t=274878

That is the other thread about this sort of thing but relating to e-mail services

[White_Eskimo]

I would imagine that the vast majority are not aware that there might be an issue.

Thats where education and awareness programs comes into play

But anyone cannot do that. For example this is a wired ADSL connection that will only work down my telephone line ........... how can you easily intercept my traffic and obtain my credentials?

I don't know how you define easy, but there are generally many ways to take advantage of a security exploit. MITM attacks are the simplest, so I used them for reference. There have been many browser "hacks" that allow scripts to violate the same site origin policy. Signed scripts allow for this as well. It would be easy to send a random user on a subnet far far away a link that would perform some type of XSS attack. Maybe not a 10 minute hack, but still very possible.

If the majority of people used wireless and/or a communal network such as in a school or college then there might be an issue, but this does not describe the majority of users. In that situation it is really a case of the environment being fundamentally insecure in the first instance.

Here in the US, most of the people on Facebook are college kids. In fact, emarkerter released a survey stating that Facebook is the most visited site for females ages 17 - 25. (http://www.emarketer.com/Article.aspx?1004636) My campus’s wireless network is open and insecure. If I were to stick up a wireless repeater behind a hub, and sniff the link waiting for people to join, I could easily sniff their traffic. Obviously, this is illegal and would most likely get me kicked out, but it IS possible to do, and I wouldn’t be surprised if some have gotten away with it. The fact of the matter is that just because something is illegal, people/corporations shouldnt assume that it wont be done. There best bet is to implement additional security features.

You do have a point about assumptions being made. Many sites assume that you have a secure connection, because in the case of most private individuals that is probably true?

I dont mean to sound paranoid, but I never assume an online connection is secure. I think that web services should implement additional layers of security in order to render my experience more secure. Obviously, there is a limit as to what a company should do, but just because I use their free service doesnt entitle my account to be randomly hacked. In fact, if my account ever was hacked while using a free service, I would probably never upgrade to the full version!

They also assume that it is your responsibility to make sure that your system is secure.

You are right and they are unfortunately wrong. No one should assume anything about my system. Building a web service that is only capable of running in a certain browser, with JavaScript enabled, for a Windows machine is a very bad approach. Again, obviously most web services wont be able to support every single browser and set up out there, but still, I would expect a larger service like Flickr or Facebook to take the time to ensure that their services work properly (and securely) on most systems. They can't do much about a keylogger as d34dl0k1 pointed out, but they definitely should be doing all they can do!

I would certainly accept criticism of sites for poor session management as that is just bad housekeeping. Most of the rest is really down to the user not understanding the insecurity of what they are doing.

Unfortunately we live in a world where very few users actually are aware of the dangers they face on the Web. I believe that the few individuals out there with knowledge must stand up to protect the rights of others. Users upload tons of pictures on Flickr and Facebook. If my friends had the entire “first year of college” picture album erased by some punk hacker, I am sure they would be pissed. Just because users aren’t aware of a vulnerability doesn’t mean that the vulnerability shouldn’t be fixed.

EDIT: I suppose you need to consider what these sites are about. They are supposed to be communities? I guess that when they were conceived nobody really thought about security because they didn't see them as potential targets for malicious people?

The fact that they are personal in nature possibly led them to that conclusion.

I don't know the details of how FP and Flickr work, but I would be curious to know if the cookie is still required after the session has been established? If it isn't, then deleting it would seem to be a solution.

Otherwise only use these services in a discrete session and clear your cookies afterwards?

yup, cookies are still required after login for both sites. I really do think that the best solution is to store the user's IP address inside of the spawned session. If someone tries to access the site with the same cookie credentials but the wrong IP address, they will be denied access. If they attempt to spoof the IP address, then the server will respond to the spoofed IP address and NOT the malicious hacker. The innocent user's machine will deny the packet automatically because there was never a request made. Information should be stored both on the client and server side. If all of the necessary information is stored in one area, it is very prone to failure and attack.

After researching this stuff and developing a lot of crap myself, I have come to the conclusion that Web 2.0 still has a huge amount of room for improvement. My paper talks about web services incorporating technologies that renders their site more vulnerable to being exploited. Sure there is more eye candy and fancy features, but if someone can destroy my entire account, then what is the point? As sites rely on more technology, they must also be willing to dedicate the time and assets to create a secure user experience. Web services should not bet on the fact that their users are too dumb to understand security vulnerabilities, and they should not just assume that the browser and network are secure.


Sorry nihil for writing you a textbook ☺ Thank you very much for your comments! I really do think that we need more people thinking about this sort of stuff and realizing how much change is needed.

[nihil]

Well I think that I know the answer to this one:

Sure there is more eye candy and fancy features, but if someone can destroy my entire account, then what is the point?

Literally hundreds of millions of dollars when they sell these outfits on........just look at YouTube for example.

In October 2006, Google Inc. announced that it had reached a deal to acquire the company for US$1.65 billion in Google's stock.

As for e-mail, just look at the difference between paid for services and free ones.......... that IS deliberate you know?

[White_Eskimo]

I really do think that the best solution is to store the user's IP address inside of the spawned session. If someone tries to access the site with the same cookie credentials but the wrong IP address, they will be denied access. If they attempt to spoof the IP address, then the server will respond to the spoofed IP address and NOT the malicious hacker. The innocent user's machine will deny the packet automatically because there was never a request made. Information should be stored both on the client and server side. If all of the necessary information is stored in one area, it is very prone to failure and attack.

Hey Nihil, I was hoping we could change the direction of the conversation so that I can get your input about my suggested fix.


What do you think of storing unique information on both the server and client side. In order to protect NATed users, I recommend storing both the user's IP address and his/her MAC address. Because each IP address must be mapped to a single MAC address according to RFC 826 (ARP), a malicious hacker on the NATed subnet cannot spoof a user's account. If she/he were to make a request and spoof the correct user's MAC address, the NAT router would attempt to route the packet back to the computer with the original user's MAC address where it would be dropped. I think that this is the best solution. The only downside is that the server needs to store more information in RAM. Do you see any failures or problems with this approach that I may have overlooked? Thanks!