In September 2011 I've discovered a vulnerability that allows attacker to partially take control over victim's Facebook account. Vulnerability allowed, among other things, to send status updates on behalf of user and send friend requests to attackers' controlled Facebook account. The vulnerability has been responsibly disclosed as part of Facebook Security Bug Bounty program and is now fixed.
The mentioned page rendered FBML specified in the $_GET parameter. In this case <form><fb:captcha></form> had been used as an exemplary FBML payload. In the server response there was a Javascript Env object with multiple sensitive user values:
So, if any user authenticated to Facebook navigated to attacker's URL (e.g. via a link shared by his friend) and played a game, attacker got access to HTML source of a vulnerable Facebook page and came into possession of user id and CSRF tokens. Having that, he could perform multiple CSRF requests, using the fact that victim's browser had appropriate FB cookies.
Details
http[s]://www.facebook.com/plugins/serverfbml.php only used Javascript for frame-busting and did not use X-Frame-Options header. It was possible to create UI redressing content extraction attack to trick user into dragging HTML source of that page into attacker's page. This relied on Firefox ability to display view-source: protocol pages in iframes AND the ability to perform drag & drop actions cross origin (So only Firefox users were affected).The mentioned page rendered FBML specified in the $_GET parameter. In this case <form><fb:captcha></form> had been used as an exemplary FBML payload. In the server response there was a Javascript Env object with multiple sensitive user values:
{
user:100001652298988,
locale:"en_US",
method:"GET",
start:(new Date()).getTime(),
ps_limit:5,
ps_ratio:4,
svn_rev:441515,
static_base:"https:\/\/s-static.ak.facebook.com\/",
www_base:"http:\/\/www.facebook.com\/",
rep_lag:2,
post_form_id:"eecde0da0dc4bc800d385dde5dd37608",
fb_dtsg:"AQAUh3Jx",
lhsh:"0AQAQVvsl",
error_uri:".....",
retry_ajax_on_network_error:"1",
ajaxpipe_enabled:"1",
theater_ver:"2"
};
In the source, apart from user ID (privacy!), there are also two interesting values: fb_dtsg and post_form_id. These values alone are a form of anti CSRF token used in Facebook, and, by knowing them attacker could e.g. post status updates on behalf of a logged in user. In Firefox it was possible to trick the user to select & drag these values to attacker's controlled page.So, if any user authenticated to Facebook navigated to attacker's URL (e.g. via a link shared by his friend) and played a game, attacker got access to HTML source of a vulnerable Facebook page and came into possession of user id and CSRF tokens. Having that, he could perform multiple CSRF requests, using the fact that victim's browser had appropriate FB cookies.
Demo
In the demo I'm using modified version of double drag&drop UI redressing technique developed by Nafeez Ahamed (@skeptic_fx). As an exploitation example, a status update for victim user is posted, and a friend request is sent to another user (e.g. attacker). Of course, possibly more is possible with these tokens like sharing, liking a given URL, but I haven't researched that.Some fixes are quick, others...
Proposed fix was to use X-Frame-Options at the mentioned page. Vulnerability in Facebook has been fixed, tested and deployed before Oct 14, 2011. However, the relevant Firefox bug #605991 (Drag-and-drop may be used to steal content across domains) waited 2 years and the fix has just been deployed in Firefox 14. As of Firefox 14 you can no longer drag&drop content cross-domain. So - update your Firefoxes and stay safe!Hungry for more?
- HTML5: something wicked this way comes - description of various current UI redressing vectors
- Imgur.com session hijacking - First attack using similar technique
- Minus.com arbitrary file upload - another one
- Facebook Graph API token stealing - description of double drag & drop