No About Face for Privacy
Facebook has taken quite a bit of heat over privacy concerns lately. Back in November of 2009 it was found that a Flash vulnerability could allow an attacker to steal all of a user’s personal information. Before that, users protested en masse to the Terms of Use change that allowed the social networking site to do whatever they wanted with any content hosted on the network, including photographs and comments. And who could forget the controversy that followed concerns when Facebook’s content, or should I say their users’ content, was opened to the search engines. This week Facebook’s f8 developers conference proved to be no exception.
As we all know, Facebook’s reaction to all of these, and other privacy concerns, has been well received. Whenever something that threatens user privacy is exposed, Facebook is quick to respond and patch things up. However admirable their reactions are to these issues, the latest security issue that was uncovered shows that Facebook is not overly proactive when it comes to protecting against security exploits.
Session Hijacking
Session hijacking refers to a practice that attackers use to gain access to a valid session so that they can take control of information or services linked to that computer session. By controlling what is called a session ID, the attacker can masquerade as the legitimate user and has access to anything that the user has rights to. For instance, if a Facebook user were to fall victim to this sort of attack, the bad guy would have free reign over all the information in their account – simple as that.
The Latest Concern
In a proof-of-concept attack, security engineer Joey Tyson was able to build a harmless looking web site external to Facebook where he inserted an inline frame, or iFrame, that was small enough to be invisible to the visitor/victim. The frame actually loaded the login page to Facebook but because it was invisible, the victim had no idea that this was happening.
Now, the way the exploit worked is that using certain parameters the malicious page created by Tyson would be able to target any third-party apps that the victim had allowed access to their Facebook page. In his demonstration, Farmville was used because of its popularity but the same could have been done with any of the many apps that users allow to connect to their account. Piggybacking on the credentials used by the authorized application the attacker would then have hijacked an authorized Facebook session for the victim – without the victim’s knowledge.
Proactivity
As usual, Facebook was quick to correct the errors that allowed this exploit and Tyson even stated in his blog that:
I commend Facebook for responding quickly to this issue and for being open to white-hat security reports. But in my opinion, this vulnerability is simply the latest reminder that the Facebook Platform can open users to many problems quite separate from the security of Facebook itself. I personally think that aspects of the Platform’s implementation fail to match user expectations of privacy, as I’ve discussed previously. And while this particular problem may be solved, vulnerabilities in specific applications and the nature of application access continue to put private data at risk of unwanted disclosure.
Seeing vulnerabilities in web applications on a daily basis, I have to agree with Tyson 100 percent. So many applications are built with grand expectations of usability, interactivity, and profitability while at the same time ignoring vulnerabilities. The latest find by Tyson hammers this point home. The security team at Facebook is certainly some of the brightest minds in the business so why was this not caught in a code review?
In most applications, security is an afterthought. It is viewed as something that can be fixed in subsequent patches and versions. Users suffer, but they still come back to see what’s been posted on their wall and how many people liked their last comment. Until the lackadaisical attitude towards security and privacy changes in the minds of the application users, it certainly won’t change in attitude of the developers.
Side note:
As I was writing this post, Facebook announced that they are taking steps to help users better understand what actions to take if they are: harassed, bullied, a witness to illegal or terrorist activities, or if their account has been compromised. While this information does not help prevent someone from becoming a victim on the Facebook network it does show users where they can find help. Interestingly enough during F8′s wrap-up session (click closing remarks video) Chris Cox did not focus on privacy in the roadmap he laid out. It seems that privacy will remain an afterthought.
