Friday, August 17, 2012

How Facebook lacked X-Frame-Options and what I did with it

In September 2011 I've discovered a vulnerability that allows attacker to partially take control over victim's Facebook account. Vulnerability allowed, among other things, to send status updates on behalf of user and send friend requests to attackers' controlled Facebook account. The vulnerability has been responsibly disclosed as part of Facebook Security Bug Bounty program and is now fixed.

Details

http[s]://www.facebook.com/plugins/serverfbml.php only used Javascript for frame-busting and did not use X-Frame-Options header. It was possible to create UI redressing content extraction attack to trick user into dragging HTML source of that page into attacker's page. This relied on Firefox ability to display view-source: protocol pages in iframes AND the ability to perform drag & drop actions cross origin (So only Firefox users were affected).

The mentioned page rendered FBML specified in the $_GET parameter. In this case <form><fb:captcha></form> had been used as an exemplary FBML payload. In the server response there was a Javascript Env object with multiple sensitive user values:
{
  user:100001652298988,
  locale:"en_US",
  method:"GET",
  start:(new Date()).getTime(),
  ps_limit:5,
  ps_ratio:4,
  svn_rev:441515,
  static_base:"https:\/\/s-static.ak.facebook.com\/",
  www_base:"http:\/\/www.facebook.com\/",
  rep_lag:2,
  post_form_id:"eecde0da0dc4bc800d385dde5dd37608",
  fb_dtsg:"AQAUh3Jx",
  lhsh:"0AQAQVvsl",
  error_uri:".....",
  retry_ajax_on_network_error:"1",
  ajaxpipe_enabled:"1",
  theater_ver:"2"
};
In the source, apart from user ID (privacy!), there are also two interesting values: fb_dtsg and post_form_id. These values alone are a form of anti CSRF token used in Facebook, and, by knowing them attacker could e.g. post status updates on behalf of a logged in user. In Firefox it was possible to trick the user to select & drag these values to attacker's controlled page.

So, if any user authenticated to Facebook navigated to attacker's URL (e.g. via a link shared by his friend) and played a game, attacker got access to HTML source of a vulnerable Facebook page and came into possession of user id and CSRF tokens. Having that, he could perform multiple CSRF requests, using the fact that victim's browser had appropriate FB cookies.

Demo

In the demo I'm using modified version of double drag&drop UI redressing technique developed by Nafeez Ahamed (@skeptic_fx). As an exploitation example, a status update for victim user is posted, and a friend request is sent to another user (e.g. attacker). Of course, possibly more is possible with these tokens like sharing, liking a given URL, but I haven't researched that.

Some fixes are quick, others...

Proposed fix was to use X-Frame-Options at the mentioned page. Vulnerability in Facebook has been fixed, tested and deployed before Oct 14, 2011. However, the relevant Firefox bug #605991 (Drag-and-drop may be used to steal content across domains) waited 2 years and the fix has just been deployed in Firefox 14. As of Firefox 14 you can no longer drag&drop content cross-domain. So - update your Firefoxes and stay safe!

Hungry for more?

11 comments:

  1. I want cross framing to be denied since I was 4 years old boy :)
     http://homakov.blogspot.com/2012/06/saferweb-with-new-features-come-new.html

    actually you can check alexa top 100 and continue hacking this way.. the same about csrf

    ReplyDelete
  2.  Change banners by tab ads. Buttons have less space and are generally faster to load. Make sure your buttons are generally attractive and provide clearly what they redirect to. Do not have all your buttons in a single region: place them in different parts of your website. Use banner ad campaigns for your most important products only.  Köp Facebook Likes , Buy Facebook Fans, FB Likes

    ReplyDelete
  3. gardendecors lebanonDecember 26, 2012 at 7:09 PM

    Excellent post! This is awesome. This is basically ideal and has included
    great understanding to my knowing.
    http://www.gardendecors.net

    ReplyDelete
  4. for what is this used for, can i hack a fb account with that or????
    can someone please tell me if it tried a site www.hack-facebook-password.org , i noticed this site on some fan page but still can't how to download this. can you help me please, or send me it to my inbox on a fb. thanks a lot

    ReplyDelete
  5. Thanks for the article, you can also Hack Facebook using his method

    ReplyDelete
  6. Facebook is much more improved now.
    http://www.fbpiraterfr.com/
    http://gadgetspeaks.com/
    http://aadhaarcarduid.org/
    http://cheatjunction.com/hay-day-diamond-hack-cheats/

    ReplyDelete