Massive Facebook Vulnerability Exposes ALL User Data

TechCrunch discusses just one of the many vulnerabilities found on the Facbook platform, endangering all 300 million of its members' accounts:

A Facebook developer named Yvo Schaap has uncovered a massive security flaw present on both Facebook and MySpace that would give hackers the ability to steal all of your account data, including your photos, personal messages, and basically everything else you’ve ever put on the social networks, without you ever realizing it.

Schaap stumbled upon the exploit and contacted both Facebook and MySpace. According to his blog MySpace has since fixed the bug, and while his blog indicates that Facebook is still working on it we’ve confirmed that they’ve fixed it as well (we’re waiting on a statement from MySpace). So what exactly could the exploit do? From Schaap’s blog:
You don’t need much time to think of all the ways this could be exploited. All what has to happen is a active session, or a “auto login”-cookie and a URL which hosts a exploiting Flash file. For example when accessed, a automatic “post update” could be made, that would lure friends of the user to access the exploit URL, and the exploit would spread virally. An more invasive and hidden exploit could harvest all the users personal photo’s, data and messages to a central server without any trace, and there is no reason why this wouldn’t be happening already with both Facebook and MySpace data.
In other words, if you’ve ever checked that ‘remember me’ button on Facebook or MySpace’s login screen and have at any point viewed a Flash app taking advantage of the exploit, it’s possible that all of your data was compromised. You wouldn’t even have to neccesarily open anything — in Facebook’s case, if one of the infected items showed up in your News Feed you could have your data stolen without ever knowing it. Yeah, that’s pretty damn scary. For what it’s worth, Facebook gave us this statement:
The security of our users is a top priority for Facebook and we worked with the researcher who identified the issue to fix it. We have not received any reports that it was ever exploited.
Of course, Schaap pretty clearly writes that there’s no way for a user or even Facebook to tell if their data was harvested, so for all we know it could have been used by multiple developers for months or longer (Facebook is currently investigating how long the bug may have existed). Granted, Schaap could be the first developer to ever stumble across the exploit. But the potential of this bug is so huge — allowing a developer to mine all of the data for any user who accessed their app — that less honest developers may well have used the hack for their own benefit. Facebook has previously said that there are a whopping 300,000 developers building on its platform. And we’ve seen time and time again that some of those developers are not opposed to Black Hat tactics. MySpace has seen its own share of problems.

This is obviously bad news for both social networks, but Facebook in particular has long been heralded as the safer of the two, with its extensive privacy settings and authentic identities. Yet the site has repeatedly seen glitches in its security. I’ve written before about the sorry state of our privacy and the security of our data online, and issues like this underscore that the problem isn’t getting any better. Facebook is no longer just a platform for learning about your college buddies — it’s a serious business, used for photos and messages that can be very sensitive. Hell, I’ve heard of journalists who regularly use Facebook to reach out to potential sources, when secrecy is of the utmost importance. Apparently that’s not a good idea.

The security vulnerability works by taking advantage of an oversight in a crossdomain.xml configuration file, which is used by Flash applets to determine if an application has permission to access data on that domain. The crossdomain.xml files at Facebook and MySpace were allowing any applet from any other domain to access data and the API. Combined with browsers keeping a record of your logged in session if you have checked ‘remember me’, the vulnerability means that an invisible Flash applet on any website you visit would be able to read out all your data and send it away somewhere else. For more on cross-domain requests and security, there is a write up explaining all the details.

If you’re interested in the nature of the exploit itself, head over to Schaap’s blog for a full description of how he stumbled on it. 
See also:

Copyright © Jewish Internet Defense Force
All Rights Reserved

The views expressed on this website do not necessarily reflect the views of the JIDF. The content is not intended to malign any religion, ethnic group, club, organization, company or individual. This site's intention is to do no harm, to not injure others, defame, or libel. All data and information provided on this site is for informational, educational, and/or entertainment purposes only. The Jewish Internet Defense Force (JIDF) makes no representations as to accuracy, currentness, correctness, suitability, or validity of any information on this site and will not be liable for any errors, omissions, or delays in this information or any losses, injuries, or damages arising from its display or use, or access to this site. We are not responsible for translation or interpretation of content. We are not responsible for defamatory statements bound to government, religious or other laws from the reader’s country of origin. All information is provided on an as-is basis with no warranties, and confers no rights. We are not responsible for the actions, content, accuracy, opinions expressed, privacy policies, products or services or for any damages or losses, directly or indirectly, caused or alleged to have been caused as a result of your use or reliance on such information on the Jewish Internet Defense Force site. This site includes links to other sites and blogs operated by third parties. These links are provided as a convenience to you and as an additional avenue of access to the information contained therein. We have not reviewed all of the information on other sites and are not responsible for the content of any other sites or any products or services that may be offered through other sites. The inclusion of these links in no way indicates their endorsement, support or approval of the contents of this site or the policies or positions of the JIDF. We have the right to edit, remove or deny access to content that is determined to be, in our sole discretion, unacceptable. These Terms and Conditions of Use apply to you when you view, access or otherwise use this blog and the Website. The JIDF is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to
Related Posts with Thumbnails