Researcher details Facebook CSRF flaw

Powered by SC Magazine

A security researcher has described a flaw that hackers could exploit to siphon Facebook users' personal information, without their knowledge, through the use of a rogue application.

Ronen Zilberman said that to be infected, a user must merely open a non-related website, ideally an online forum, where the attacker has seeded a malicious image tag link. If successful, the perpetrator could evade privacy settings and retrieve victims' full names, profile pictures and friend's lists.

He described the cross-site request forgery (CSRF) vulnerability -- which Facebook has since fixed -- on his Quaji blog.

Much of the blame for the bug rests on a site feature known as "Automatic Authentication", Zilberman said. This component allows Facebook applications to receive personal information about a user when he or she visits the application's "canvas page."

But Zilberman found a way for the hacker to receive that same information without the user knowingly interacting with any application. He was able to embed an IMG tag on a third-party website. If a user visited the site, Facebook would believe the user was actually interacting with the application, and thus the attacker could receive the data.

"We need a way to trick Facebook into (thinking) the app page it is (clandestinely) accessing is a result of the user's interaction," he said. "It turns out that a simple redirect from one page to another in the same application fools Facebook because the second request originates from a Facebook URL (the first request). Therefore, the second request activates 'Automatic Authentication' and personal info is sent."

Facebook has fixed the problem, but Zilberman said the issue could be present across other social networking sites.

"Our team pushed a fix for this bug on Monday, shortly after it was reported to us, and before the details were made public," Facebook spokesman Simon Axten told "The information exposed was very limited and included only the user's name, Facebook user ID, profile picture, and list of friends. User privacy settings were also respected. That is, if you had hidden certain information from platform applications, that information was still inaccessible. We have no evidence that the bug was ever used for malicious purposes."

See original article on

Copyright © SC Magazine, US edition

Top Stories
Time management tips for CIOs
[Blog post] How to get to the genba.
Making a case for collaboration
[Blog post] Tap into your company’s people power.
Five zero-cost ways to improve MySQL performance
How to easily boost MySQL throughput by up to 5x.
Sign up to receive iTnews email bulletins
Latest Comments
Which is the most prevalent cyber attack method your organisation faces?

   |   View results
Phishing and social engineering
Advanced persistent threats
Unpatched or unsupported software vulnerabilities
Denial of service attacks
Insider threats