The WIse SECurity
[ Back ]
Wednesday, April 21, 2010, 16:16
Facebook application hole. A neverending story?
It was April 11th @ 9:00 AM,some days before my Campusparty talk, and I decided to have a quick look at Facebook apps howto implementations.
Which, if user has already subscribed to the application, then it redirects to :
The url where the user is redirected can be set in the 'next' parameter (implied in moreParameters).
Now I had to better understand what I can do and went to my favourite FaceBook hacker-superhero The Harmony Guy.
It seems he already found something...and very big! :( Even if I don't know a thing about FBK, I was sooo near!
The good^N^N^N^NBad thing is that it took me a few hours to study the environment and think about that.
That's the explaination (from harmony guy link):
Now there's something I don't understand, and that's because I'm not a Facebook hacker and because the description is not technical.
They say it's fixed but if I try this request:
using farmville api_key with next parameter set to my test application home page on apps.facebook.com, I get a redirect to:
After that the victim seems to be also added my fake test app transparently...
Maybe they fixed on login.php but missed some page?...:o
As usual the infamous question I asked myself a lot of times when a vuln is fixed but the technique has not been understood.
How come that after the "theharmonyguy" post no one @facebook got a deep analysis?
Maybe complexity is a bad dwarf when dealing with security, but what about applying Secure-SLDC, I mean, really.
Just for sake of user privacy protection, I'd suggest to use different Browsers or Firefox Plugins.
I also found some site publishing Xss on facebook applications by simply searching on google...and they still work!
Hey Mr. Facebook would you care doing a Google search?
A hint: "facebook applications security bugs" on bigG.
theharmonyguy, Wednesday, April 21, 2010, 17:07
Wow great find - they fixed the "next" parameter for an absolute URI, but not the relative URI you put in. I just confirmed the bug and will report it to my contact at Facebook, giving you full credit of course.
Stefano, Wednesday, April 21, 2010, 17:21
theharmonyguy, Wednesday, April 21, 2010, 17:59
True, though it would need to be XSS in an app page that does not require you to be authenticated for *that* app also. Executing the API requests immediately would also ensure the session data doesn't expire before you use it.
Stefano, Wednesday, April 21, 2010, 18:04
Now is more clear
Comments are disabled
Wisec is brought to you by...
Wisec is written and mantained by Stefano Di Paola.
Wisec uses open standards, including XHTML, CSS2, and XML-RPC.
All Rights Reserved 2004
All hosted messages and metadata are owned by their respective authors.