Advisories 2011

2011-001: Facebook social network vulnerable to Open Redirect.
2011-002: Facebook social network vulnerable to CSRF.

2011-001: Facebook social network vulnerable to Open Redirect.

Original release date: July 18th, 2011
Last revised: July 22nd, 2011
Discovered by: Vicente Aguilera Diaz
Severity: 6.8/10 (CVSS Base Scored)

BACKGROUND

Facebook is a social networking service and website (www.facebook.com) launched in February 2004, operated and privately owned by Facebook, Inc. As of July 2011, Facebook has more than 750 million active users.

DESCRIPTION

An open redirect is a vulnerability that takes a parameter and redirects a user to the parameter value without any validation. This vulnerability is used in phishing attacks to get users to visit malicious sites without realizing it.

The vulnerability is exploitable only between users who are friends.

PROOF OF CONCEPT

The malicious URL as the next structure:

http://www.facebook.com/l.php?u=<external website>&h=<security token>

where:

<external website>: is the malicious site controlled by the attacker. For example, can be used to download malware, request private information to the user, etc.

<security token>: is a token generated by Facebook, based in different values, to decide if the external link is trustworthy or not. The token is a 9-digit string within the range [A-Z|a-z|0-9].

So, the attacker only need to know the <security token>.

On the other hand, the malicious URL is valid only if:

  • the victim user is authenticated, or
  • the victim user has made logout but he has not closed the browser

--- How to obtain the <security token>

The attacker access to Facebook and make a link (for example: http://www.isecauditors.com) in her wall, and access to the mobile facebook (m.facebook.com) to view the link.

The URL has the next link:

http://m.facebook.com/l.php?u=http://www.isecauditors.com&h=DAQCCeLYW&refid=28

From the previous link, the attacker obtain the <security token> in the "h" parameter value. In this case: "DAQCCeLYW".

--- How to exploit the malicious URL

The attacker have multiples choices to make that another user can use the malicious URL:

  • leave a message in her wall with the malicious URL and share the
  • message with her friends
  • send a private message to a friend with the malicious URL
  • share the malicious URL in the wall of a friend
  • share the malicious URL in a group of friends
  • etc.

Obviously, a malicious user will obfuscate the redirection. For example, the attacker can use a shorten url service (http://goo.gl, http://bitly.com, http://tiny.cc, etc.), use complex encoding techniques, add unnecessary parameters, etc.

For example, the next request can be sent in a private message to a friend and causes the friend to download a PDF file from the Internet Security Auditors website:

http://www.facebook.com/l.php?app=1572&u=tiny%2ecc⁄owhvr&h=DAQCCeLYW

On the other hand, exist another vulnerability in Facebook that facilitate the exploitation of this vulnerability. An user can leave a message on her wall with a link, and this link can access to another website different that the website that appears in the link.

This vulnerability can be exploited in three steps:

  • Step 1) The user create a status message with a URL. For example: http://www.facebook.com and leave a blank space after the last letter
  • Step 2) The Facebook application recognize the URL and make the link. For example: http://www.facebook.com
  • Step 3) The user delete the URL from the status message, and put another malicious URL. The Facebook application not update the previous link.

So, this vulnerability can be abused to facilitate the Open Redirect. For example, an user can leave a message on her wall or on her public profile, and shared this message with other friends or with everyone. The process will be:

  • Step 1) The user create a status message with a URL. For example: http://www.facebook.com and leave a blank space after the last letter
  • Step 2) The Facebook application recognize the URL and make the link. For example: http://www.facebook.com
  • Step 3) The user delete the previous blank space, and add the resource and the querystring:
    http://www.facebook.com/l.php?app=1572&u=tiny%2ecc⁄owhvr&h=DAQCCeLYW
  • Step 4) The user shared this message with everyone.

Another possibility to inject the URL avoiding Facebook to decode the malicious site: leave a message on her wall with a text previously to the link.
For example:

"Download the better application from Facebook:

http://www.facebook.com/l.php?app_id=1572&u=tiny%2ecc⁄owhvr&h=DAQCCeLYW"

BUSINESS IMPACT

This vulnerability allows phishing attacks, effective malware distribution, etc.

SYSTEMS AFFECTED

The vulnerability affect the Facebook social network:

SOLUTION

-

REFERENCES

http://www.facebook.com
http://www.isecauditors.com

CREDITS

This vulnerability has been discovered by Vicente Aguilera Diaz (vaguilera (at) isecauditors (dot) com).

REVISION HISTORY

July 18, 2011: Initial release.
July 19, 2011: Proof of concetp updated with more details.

DISCLOSURE TIMELINE

July 17, 2011: The vulnerability is discovered.
July 18, 2011: Facebook is notified of this vulnerability.
July 18, 2011: Facebook answers the vulnerability is not exploitable.
July 19, 2011: Internet Security Auditors contact Facebook and provide more details about how to exploit the vulnerability.
July 21, 2011: Facebook answers the intentional functionality provided by the "l.php" endpoint is required, and Facebook believe the security benefits generated by this functionality outweigh the perceived risks.

LEGAL NOTICES

The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors accepts no responsibility for any damage caused by the use or misuse of this information.

Volver al inicio

2011-002: Facebook social network vulnerable to CSRF.

Original release date: 9th August 2011
Last revised: 9th August 2011
Discovered by: Vicente Aguilera Diaz
Severity: 4.9/10 (CVSSv2 Base Scored)

BACKGROUND

Facebook is a social networking service and website (www.facebook.com) launched in February 2004, operated and privately owned by Facebook, Inc. As of July 2011, Facebook has more than 750 million active users.

DESCRIPTION

Cross-Site Request Forgery, also known as one click attack or session riding and abbreviated as CSRF (Sea-Surf) or XSRF, is a kind of malicious exploit of websites. Although this type of attack has similarities to cross-site scripting (XSS), cross-site scripting requires the attacker to inject unauthorized code into a website, while cross-site request forgery merely transmits unauthorized commands from a user the website trusts.
Facebook is vulnerable to CSRF attacks in the "Change Password" functionality. The only token for authenticate the user is a session cookie, and this cookie is sent automatically by the browser in every request. The session cookie is not associated with other typical parameters (such as the IP address), so the authenticated request can be made from different physical locations.
An attacker can create a page that includes multiple requests (password cracking attack) to the "Change password" functionality of Facebook and modify the passwords of the users who, being authenticated, visit the page of the attacker.

PROOF OF CONCEPT

A common "change password" request has the next structure:

POST /login.php?m=m&refsrc=http%3A%2F%2Fm.facebook.com%2Fsettings.php&refid=31 HTTP/1.1
Host: www.facebook.com
...
fb_dtsg=AQSMHMxZ&post_form_id=95cd53deb8c317985aef5672453b9c15&charset_test=%E2%82%AC%2C%C2%B4%2C%E2%82%AC%2C%C2%B4%2C%E6%B0%B4%2C%D0%94%2C%D0%84&old_password=oldpassword&new_password=newpassword&confirm_password=newpassword&change_password=Cambiar+la+contrase%C3%B1a

But, the anti-csrf tokens ("fb_dtsg" and "post_form_id") are not validated in this request, so a malicious user can create a request like this (omitting the parameters "fb_dtsg" and "post_form_id") and the request is successful, so the password is updated:
 

POST /login.php?m=m&refsrc=http%3A%2F%2Fm.facebook.com%2Fsettings.php&refid=31 HTTP/1.1
Host: www.facebook.com
...
old_password=victimoldpassword&new_password=hackernewpassword&confirm_password=hackernewpassword&change_password=Cambiar+la+contrase%C3%B1a

BUSINESS IMPACT

  • Selective DoS on Facebook users (changing the user password).
  • Possible access to the Facebook account of other users.

SYSTEMS AFFECTED

The vulnerability affect the Facebook social network:

SOLUTION

-

REFERENCES

http://www.facebook.com
http://www.isecauditors.com

CREDITS

This vulnerability has been discovered by Vicente Aguilera Diaz (vaguilera (at) isecauditors (dot) com).

REVISION HISTORY

August 9, 2011: Initial release.

DISCLOSURE TIMELINE

July 31, 2011: The vulnerability is discovered.
August 3, 2011: Facebook is notified of this vulnerability.
August 7, 2011: Internet Security Auditors contact Facebook to know the analysis status of the vulnerability.
August 8, 2011: Facebook answers that other protections exist to mitigate this risk.
August 8, 2011: Internet Security Auditors contact Facebook to explain that the risk is low but the solution is trivial: validate the value of the security tokens (that are currently sending), as is being done in the other functions.

LEGAL NOTICES

The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors accepts no responsibility for any damage caused by the use or misuse of this information.

ABOUT

Internet Security Auditors is a Spain based leader in web application testing, network security, penetration testing, security compliance implementation and assessing. Our clients include some of the largest companies in areas such as finance, telecommunications, insurance, ITC, etc. We are vendor independent provider with a deep expertise since 2001. Our efforts in R&D include vulnerability research, open security project collaboration and whitepapers, presentations and security events participation and promotion. For further information regarding our security services, contact us.

Volver al inicio