Informatics students discover, alert Facebook to threat allowing access to private data, bogus messaging

Feb 03, 2011
IU Bloomington School of Informatics and Computing PhD students Rui Wang, left, and Zhou Li discovered and reported the privacy vulnerability to Facebook last month.

(PhysOrg.com) -- A Facebook security vulnerability discovered by a pair of doctoral students at Indiana University Bloomington's School of Informatics and Computing that allowed malicious websites to uncover a visitor's real name, access their private data and post bogus content on their behalf has been repaired, Facebook has confirmed.

The vulnerability discovered by Rui Wang and Zhou Li enabled malicious websites to impersonate legitimate websites, and then obtain the same data access permissions on Facebook that those legitimate websites had received.

Wang and Li said the vulnerability occurred when a user informed Facebook of his or her willingness to share information with popular websites like ESPN.com or . Whenever a website makes such a request to Facebook via the user's browser, Facebook passes a secret random string called an authentication token back to the requestor for identification. Whoever holds that authentication token can convince Facebook that they are, say, ESPN.com and then gain unfettered access to the shared data.

Facebook confirmed the discovery and in a statement said the problem was repaired and that the belief was that no sites had been compromised.

"Researchers at Indiana University reported a vulnerability in our Platform code to us, and we worked quickly with them to resolve it. It was fixed shortly after it was reported. We're not aware of any cases in which it was used maliciously," the statement said. "We thank the researchers at Indiana University for bringing this to our attention, and for demonstrating the value of responsible disclosure."

The researchers identified a flaw in the way the token was transmitted using two Flash objects: one inside Facebook's iframe passes the token to the second, which in this case would be embedded at ESPN.com. The transfer mode can be selected through "transport='flash'" with the security guarantee being that both flash objects are supposed to come from the same domain (i.e., Facebook) before they can talk.

The researchers found, however, that such a same-domain assumption is not always valid because Adobe Flash allows cross-domain communication with an unpredictable domain name that is prepended by an underscore symbol in the connection name. This allows an attacker website to steal an authentication token by choosing the transport='flash,' replacing the receiver flash with its own and then initiating a cross-domain communication with the flash inside the Facebook-controlled iframe to get the token and send it to the attacker's flash.

"This vulnerability has several implications," Wang said. "Basically, any user with a valid Facebook session loses anonymity and privacy to any website, even one with embarrassing or sensitive content."

Facebook allows some websites like bing.com to directly access a user's public data without explicit consent. This enables the malicious website impersonating that site to do the same. Moreover, if the user has ever granted any website, such as The New York Times, YouTube, Farmville or ESPN, the permission to connect to their Facebook account, further damage can be inflicted, including disclosure of that the user does not want to share with others, and impersonation of the user to post bogus news or comments on friends' walls. This form of propagation resembles the famous MySpace worm released in 2005, they said.

The researchers created a video demonstration of how the Facebook bug worked:

This video is not supported by your browser at this time.

"Our attack utilized a feature of Adobe Flash called unpredictable communication, and an important distinction between an unpredictable communication and a normal communication is that the former is done through a connection where the name starts with an underscore symbol," Li said. "Therefore, Facebook could check for this symbol to determine if a potentially malicious website tries to do unpredictable communication."

And that is exactly what Facebook started to do once they were alerted to the problem by Wang and Li, who were working under the supervision of School of Informatics and Computing Associate Professor XiaoFeng Wang and Shuo Chen, a researcher in Microsoft Research's Internet Services Research Center.

XiaoFeng Wang, the students' adviser, said Facebook relies on same-domain communications that allow websites to specify Adobe Flash as the communication mechanism.

"In a normal situation, two flash objects can only do same-domain communications, and, in fact, security of Facebook's authentication crucially depends on same-domain restrictions," he explained. "However, Facebook allowed the communication mechanism but did not disallow the unpredictable domain names. This is how a malicious website could establish a channel to enable two flash objects in different domains to communicate."

To portray the seriousness of the vulnerability, the team made a video demo that can be viewed here.

Facebook officials noted that a contact form at both the Facebook Help Center and from the "Whitehats" tab on the Security Page are available in the rare instances in which vulnerabilities are found.

"We also recently rewrote our responsible disclosure policy to make it even easier for researchers to let us know when they find a vulnerability, so we can fix it quickly and before it's exploited. Our new policy was praised by the Electronic Frontier Foundation in a recent blog post here," the statement said.

Explore further: UT Dallas professor to develop framework to protect computers' cores

Related Stories

Europe slams Facebook's privacy settings

May 13, 2010

Europe slammed as unacceptable the changes by social networking website Facebook to its privacy settings, that would allow the profiles of its users to be made available to third party websites.

Social networking aggregator sues Facebook

Jul 10, 2009

(AP) -- In a counter-punch to the world's biggest online hangout, a small Web company called Power.com has sued Facebook, saying it doesn't follow its own policy of giving users control over their content.

30,000 quit Facebook in protest

May 31, 2010

A group protesting Facebook's privacy policies said Monday more than 30,000 people had heeded its call to quit the social networking giant.

Recommended for you

User comments : 3

Adjust slider to filter visible comments by rank

Display comments: newest first

nada
5 / 5 (1) Feb 03, 2011
Well, what do ya want, a *&^#% medal or something!?!

Oh - I guess you do!
SkiSci
5 / 5 (1) Feb 03, 2011
That picture is priceless
twasnow
not rated yet Feb 04, 2011
I hope these two got some money like 50 grand or so, that could have been a huge lawsuit against facebook!

or maybe jobs... if they wanted them.

More news stories

Ex-Apple chief plans mobile phone for India

Former Apple chief executive John Sculley, whose marketing skills helped bring the personal computer to desktops worldwide, says he plans to launch a mobile phone in India to exploit its still largely untapped ...

Airbnb rental site raises $450 mn

Online lodging listings website Airbnb inked a $450 million funding deal with investors led by TPG, a source close to the matter said Friday.

Health care site flagged in Heartbleed review

People with accounts on the enrollment website for President Barack Obama's signature health care law are being told to change their passwords following an administration-wide review of the government's vulnerability to the ...

A homemade solar lamp for developing countries

(Phys.org) —The solar lamp developed by the start-up LEDsafari is a more effective, safer, and less expensive form of illumination than the traditional oil lamp currently used by more than one billion people ...

NASA's space station Robonaut finally getting legs

Robonaut, the first out-of-this-world humanoid, is finally getting its space legs. For three years, Robonaut has had to manage from the waist up. This new pair of legs means the experimental robot—now stuck ...

Filipino tests negative for Middle East virus

A Filipino nurse who tested positive for the Middle East virus has been found free of infection in a subsequent examination after he returned home, Philippine health officials said Saturday.

Egypt archaeologists find ancient writer's tomb

Egypt's minister of antiquities says a team of Spanish archaeologists has discovered two tombs in the southern part of the country, one of them belonging to a writer and containing a trove of artifacts including reed pens ...