Researcher details Facebook CSRF flaw

Powered by SC Magazine

A security researcher has described a flaw that hackers could exploit to siphon Facebook users' personal information, without their knowledge, through the use of a rogue application.

Ronen Zilberman said that to be infected, a user must merely open a non-related website, ideally an online forum, where the attacker has seeded a malicious image tag link. If successful, the perpetrator could evade privacy settings and retrieve victims' full names, profile pictures and friend's lists.

He described the cross-site request forgery (CSRF) vulnerability -- which Facebook has since fixed -- on his Quaji blog.

Much of the blame for the bug rests on a site feature known as "Automatic Authentication", Zilberman said. This component allows Facebook applications to receive personal information about a user when he or she visits the application's "canvas page."

But Zilberman found a way for the hacker to receive that same information without the user knowingly interacting with any application. He was able to embed an IMG tag on a third-party website. If a user visited the site, Facebook would believe the user was actually interacting with the application, and thus the attacker could receive the data.

"We need a way to trick Facebook into (thinking) the app page it is (clandestinely) accessing is a result of the user's interaction," he said. "It turns out that a simple redirect from one page to another in the same application fools Facebook because the second request originates from a Facebook URL (the first request). Therefore, the second request activates 'Automatic Authentication' and personal info is sent."

Facebook has fixed the problem, but Zilberman said the issue could be present across other social networking sites.

"Our team pushed a fix for this bug on Monday, shortly after it was reported to us, and before the details were made public," Facebook spokesman Simon Axten told "The information exposed was very limited and included only the user's name, Facebook user ID, profile picture, and list of friends. User privacy settings were also respected. That is, if you had hidden certain information from platform applications, that information was still inaccessible. We have no evidence that the bug was ever used for malicious purposes."

See original article on

Copyright © SC Magazine, US edition

Top Stories
Toll Group to go Google
Poaches Woolworths project manager.
How News Corp's CIO tackled skills in his race to the cloud
What to do when your team’s talents are no longer needed.
Photos: How Thodey transformed Telstra
From turbulent Trujillo to Australia's leading telco.
Sign up to receive iTnews email bulletins
Latest Comments
Who do you trust most to protect your private data?

   |   View results
Your bank
Your insurance company
A technology company (Google, Facebook et al)
Your telco, ISP or utility
A retailer (Coles, Woolworths et al)
A Federal Government agency (ATO, Centrelink etc)
An Australian law enforcement agency (AFP, ASIO et al)
A State Government agency (Health dept, etc)

Do you support the abolition of the Office of the Information Commissioner?

   |   View results
I support shutting down the OAIC.
I DON'T support shutting the OAIC.