Facebook bug that allows personal data access, phishing repaired
By ANISunday, February 6, 2011
WASHINGTON - A Facebook security threat that would allow anyone to access your personal data has been repaired by the company.
The vulnerability was discovered by Rui Wang and Zhou Li. It enabled malicious websites to impersonate legitimate websites, and then obtain the same data access permissions on Facebook that those legitimate websites had received.
The bug occurred when a user informed Facebook of his or her willingness to share information with popular websites like ESPN.com or YouTube.
When such a request is made, Facebook passes a secret random string called an authentication token back to the requestor for identification. Whoever holds that authentication token can convince Facebook that they are, say, ESPN.com, thereby gaining unlimited access.
“Researchers at Indiana University reported a vulnerability in our Platform code to us, and we worked quickly with them to resolve it. It was fixed shortly after it was reported. We’re not aware of any cases in which it was used maliciously,” the statement said.
“We thank the researchers at Indiana University for bringing this to our attention, and for demonstrating the value of responsible disclosure.”
The researchers identified a flaw in the way the token was transmitted using two Flash objects: one inside Facebook’s iframe passes the token to the second, which in this case would be embedded at ESPN.com.
The transfer mode can be selected through “transport=’flash’” with the security guarantee being that both flash objects are supposed to come from the same domain (i.e., Facebook) before they can talk.
The researchers found, however, that such a same-domain assumption is not always valid because Adobe Flash allows cross-domain communication with an unpredictable domain name that is prepended by an underscore symbol in the connection name.
“This vulnerability has several implications. Basically, any user with a valid Facebook session loses anonymity and privacy to any website, even one with embarrassing or sensitive content,” Wang said.
“Our attack utilized a feature of Adobe Flash called unpredictable communication, and an important distinction between an unpredictable communication and a normal communication is that the former is done through a connection where the name starts with an underscore symbol,” Li said.
“Therefore, Facebook could check for this symbol to determine if a potentially malicious website tries to do unpredictable communication.”
Facebook officials noted that a contact form at both the Facebook Help Center and from the “Whitehats” tab on the Facebook Security Page are available in the rare instances in which vulnerabilities are found. (ANI)