Researcher details Facebook CSRF flaw

Powered by SC Magazine
 

A security researcher has described a flaw that hackers could exploit to siphon Facebook users' personal information, without their knowledge, through the use of a rogue application.

Ronen Zilberman said that to be infected, a user must merely open a non-related website, ideally an online forum, where the attacker has seeded a malicious image tag link. If successful, the perpetrator could evade privacy settings and retrieve victims' full names, profile pictures and friend's lists.

He described the cross-site request forgery (CSRF) vulnerability -- which Facebook has since fixed -- on his Quaji blog.

Much of the blame for the bug rests on a site feature known as "Automatic Authentication", Zilberman said. This component allows Facebook applications to receive personal information about a user when he or she visits the application's "canvas page."

But Zilberman found a way for the hacker to receive that same information without the user knowingly interacting with any application. He was able to embed an IMG tag on a third-party website. If a user visited the site, Facebook would believe the user was actually interacting with the application, and thus the attacker could receive the data.

"We need a way to trick Facebook into (thinking) the app page it is (clandestinely) accessing is a result of the user's interaction," he said. "It turns out that a simple redirect from one page to another in the same application fools Facebook because the second request originates from a Facebook URL (the first request). Therefore, the second request activates 'Automatic Authentication' and personal info is sent."

Facebook has fixed the problem, but Zilberman said the issue could be present across other social networking sites.

"Our team pushed a fix for this bug on Monday, shortly after it was reported to us, and before the details were made public," Facebook spokesman Simon Axten told SCMagazineUS.com. "The information exposed was very limited and included only the user's name, Facebook user ID, profile picture, and list of friends. User privacy settings were also respected. That is, if you had hidden certain information from platform applications, that information was still inaccessible. We have no evidence that the bug was ever used for malicious purposes."

See original article on scmagazineus.com

Copyright © SC Magazine, US edition


 
 
 
Top Stories
Matching databases to Linux distros
Reviewed: OS-repository DBMSs, MariaDB vs MySQL.
 
Coalition's NBN cost-benefit study finds in favour of MTM
FTTP costs too much, would take too long.
 
Who'd have picked a BlackBerry for the Internet of Things?
[Blog] BlackBerry has a more secure future in the physical world.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Which is the most prevalent cyber attack method your organisation faces?




   |   View results
Phishing and social engineering
  71%
 
Advanced persistent threats
  3%
 
Unpatched or unsupported software vulnerabilities
  11%
 
Denial of service attacks
  6%
 
Insider threats
  10%
TOTAL VOTES: 756

Vote