In September 2011 I've discovered a vulnerability that allows attacker to partially take control over victim's Facebook account. Vulnerability allowed, among other things, to send status updates on behalf of user and send friend requests to attackers' controlled Facebook account. The vulnerability has been responsibly disclosed as part of Facebook Security Bug Bounty program and is now fixed.
Showing posts with label facebook. Show all posts
Showing posts with label facebook. Show all posts
Friday, August 17, 2012
Thursday, March 17, 2011
Who's behind Facebook clickjacking scams?
Clickjacking is a pretty advanced technique even for security-minded programmers. I guess most of pentesters would have a hard time quickly preparing a robust demonstration of a clickjacking attack. This requires some advanced CSS/Javascript and HTML knowledge. One needs to know how to hide a content or how to make it follow the mouse and account for all browsers quirks. Clearly the guys behind Facebook clickjacking *.info scams have some exceptional skills. Or do they?
Recently I got an email from one of my readers - he analyzed the actual code used in an attack, did some googling around for snippets of it and he found the person that is (supposedly, we have no proof yet) the code author of recent attacks. Meet bhav - and tremble before his mighty coder skills!
Recently I got an email from one of my readers - he analyzed the actual code used in an attack, did some googling around for snippets of it and he found the person that is (supposedly, we have no proof yet) the code author of recent attacks. Meet bhav - and tremble before his mighty coder skills!
Monday, October 18, 2010
Dont-Text.info / FightingGuy.info facebook worm - full analysis
Today another Facebook worm utilising clickjacking attack is spreading - as for now it has infected around 7000 profiles (yes, we do have the stats :). It's spreading, as usual, as a link on your friends' Facebook pages with the text I will never text Again After seeing this!!:
There are many variants available! - e.g. This American GUY must be Stoned to Death for doing this to a GIRL (NO SURVEYS)
Update: There are, as I suspected, additional domains that host the same worm - dangerous texts / domains are also (do a reverse IP lookup to see additional domains):
See below for analysis of what the worm actually does and to do some hacking with it. As a bonus, you will get a live page to analyze worm spreading.
 |
| I will never text Again After seeing this!! |
There are many variants available! - e.g. This American GUY must be Stoned to Death for doing this to a GIRL (NO SURVEYS)
Update: There are, as I suspected, additional domains that host the same worm - dangerous texts / domains are also (do a reverse IP lookup to see additional domains):
- happy-mc-meals.info - OMG... Look What This 6 YEAR OLD found in Her HAPPY MEAL from McDonalds! (NO SURVEYS)
- craziestguy.info - This American GUY must be Stoned to Death for doing this to a GIRL (NO SURVEYS)
- stupid-dress.info - Girl Gets Kicked Out Of School For DRESSING LIKE THIS! OMG!
- girls-secrets.us - 21 Things Women Can Do That Guys Cant!
- nevertexting.info
- never-text.info
- crazyamerican.info
- usabadguy.info
- guy-girl.info
- bad-meals.info
- usa-guy.info
- guy-fight.info
- usa-fight.info
See below for analysis of what the worm actually does and to do some hacking with it. As a bonus, you will get a live page to analyze worm spreading.
I published the source code files for the dont-text.info worm, so feel free to consult them if you're interested in all the details. I will only discuss the actions of the worm from the user's and technical perspective here.
Tuesday, October 5, 2010
Serious security flaws in Facebook revealed today
Today some XSS & CSRF vulnerabilites in Facebook discovered by John Jean have been reported. These are already patched, so it's just educational material, but it's extremely interesting nonetheless. This disclosure touches various subjects, so I'd like to comment on these. I attach demonstrational videos, but I recommend reading the whole article - it's worth it.
Tuesday, September 21, 2010
"The Hottest girls on Facebook" everonia.com malware analysis
Another worm spreading with clickjacking technique is now active, targetting Facebook users. If your FB friends display something similar to this:
don't follow the link. If you're curious, what is happening & how the attack works, read on.
 |
| The hottest girls on facebook on everonia.com |
don't follow the link. If you're curious, what is happening & how the attack works, read on.
Monday, August 30, 2010
MakeMeLaughNow - analysis of new generation facebook worm
A new facebook worm malware application 'makemelaughnow' is out in the wild.
It escapes FB sandbox mechanisms and activates BEFORE displaying the credentials form - only by visiting application home page you send messages to your friends and update your status.
As the news on niebezpiecznik.pl say, it uses Facebook mobile site (touch.facebook.com) to propagate. I did a quick analysis - Let's take a look on what's exactly going on in the app code.
It escapes FB sandbox mechanisms and activates BEFORE displaying the credentials form - only by visiting application home page you send messages to your friends and update your status.
As the news on niebezpiecznik.pl say, it uses Facebook mobile site (touch.facebook.com) to propagate. I did a quick analysis - Let's take a look on what's exactly going on in the app code.
Wednesday, December 23, 2009
5 ways to prevent clickjacking on your website (and why they suck)
Clickjacking attack is a very nasty attack. The most common form of it is when an attacker creates a webpage and tricks the visitor to click somewhere (on a link, button, image). Attacker in the code of his website includes a victim website (like Facebook, your webmail, amazon) that is cleverly hidden from the user and placed so that a user actually clicks on a victim website. Citing the example from OWASP page on clickjacking:
Browsers nowadays use same origin policy to protect your data if you're framing or being framed from another domain (this prevents JavaScripts from talking to each other and accesing documents across the domain boundary). But JavaScript is not required for a clickjacking attack - CSS is enough. In the simplest form (e.g. used in recent Facebook users attack), you're just using a small <iframe>, and position it absolutely. The rest is just social engineering.
Our users have a few options to protect themselves. So maybe 1% of them will be "protected". But what can we - web developers do to prevent the clickjacking on our sites? Sadly, not much, but here's the list:
For example, imagine an attacker who builds a web site that has a button on it that says "click here for a free iPod". However, on top of that web page, the attacker has loaded an iframe with your mail account, and lined up exactly the "delete all messages" button directly on top of the "free iPod" button. The victim tries to click on the "free iPod" button but instead actually clicked on the invisible "delete all messages" button. In essence, the attacker has "hijacked" the user's click, hence the name "Clickjacking".The problem with clickjacking attack is that it is extremely difficult to prevent. Unlike other popular vulnerabilities like CSRF, XSS, SQL injection, this one is based on a functionality that is widely used in the web nowadays - frames (I'm skipping the case of plugin-based-clickjacking for clarity here). Frames allow you to nest one webpage or widget in another page - this is now used for login pages, commenting, previewing content in CMSes, for JavaScript interactions and a million other things.
Browsers nowadays use same origin policy to protect your data if you're framing or being framed from another domain (this prevents JavaScripts from talking to each other and accesing documents across the domain boundary). But JavaScript is not required for a clickjacking attack - CSS is enough. In the simplest form (e.g. used in recent Facebook users attack), you're just using a small <iframe>, and position it absolutely. The rest is just social engineering.
Our users have a few options to protect themselves. So maybe 1% of them will be "protected". But what can we - web developers do to prevent the clickjacking on our sites? Sadly, not much, but here's the list:
Monday, December 21, 2009
New Facebook clickjacking attack in the wild - fb.59.to
There's a malicious website set up at http://fb.59.to that tries to trick users into a clickjacking attack that shares the link on victims' Facebook accounts.
Some Facebook users today saw a comment looking like this (new pix!):
Clicking on the comment that links to
redirects users to http://fb.59.to web page.
On this page they are given a fake Turing test that tricks them into clicking a "blue button" which is their clickjacked Facebook page positioned at adding a new comment ("Share" button). The whole web page looks like this (clickjacked area is marked green):
In page source we can see that there is a IFRAME element:
The target URL (2.php) has another IFRAME which in turn has yet another one with the target page being
Clicking on the button shares the malicious link on Facebook.
The page has a meta-redirect set up to a Youtube movie launching in 12 seconds so a users might get the impression that the movie launched because they successfully passed the Turing test.
Multiple iframes are probably set up to trick clickjacking protections within browsers. A quick look tells that currently Firefox and Chrome are vulnerable to the attack, IE and Opera being safe, although that requires a bit more time to investigate.
Update: The attack does not work in IE and Opera only because of incorrect HTML used in one of the pages in this malicious site. Doing a simple fix in HTML makes both mentioned browsers also vulnerable to the attack.
Thanks go to Grzegorz Ciborowski and Pawel Czernikowski for detecting the attack.
Some Facebook users today saw a comment looking like this (new pix!):
Clicking on the comment that links to
http://www.facebook.com/l.php?u=http%253A%252F%252Ffb.59.to%252F%253F4ff11a526ae73e9f170bbe6702ebb93c&h=..somehash...&ref=nf
redirects users to http://fb.59.to web page.
On this page they are given a fake Turing test that tricks them into clicking a "blue button" which is their clickjacked Facebook page positioned at adding a new comment ("Share" button). The whole web page looks like this (clickjacked area is marked green):
In page source we can see that there is a IFRAME element:
<iframe frameborder=0 scrolling=no height=25 width=100 src="2.php?u=http://fb.59.to/?...somehash...." ></iframe><span style=background-color:yellow;><font style=font-size:13 ; color=white>
The target URL (2.php) has another IFRAME which in turn has yet another one with the target page being
<div style="left:-90px;top:-386px;position:absolute;" <iframe height=400 width=250 src="http://www.facebook.com/sharer.php?u=http://fb.59.to/?hash" frameborder=0 scrolling=no> </iframe> </div>
Clicking on the button shares the malicious link on Facebook.
The page has a meta-redirect set up to a Youtube movie launching in 12 seconds so a users might get the impression that the movie launched because they successfully passed the Turing test.
Update: The attack does not work in IE and Opera only because of incorrect HTML used in one of the pages in this malicious site. Doing a simple fix in HTML makes both mentioned browsers also vulnerable to the attack.
Thanks go to Grzegorz Ciborowski and Pawel Czernikowski for detecting the attack.
Subscribe to:
Posts (Atom)
Posts
