Facebook Applications Revealed

by stderr  (stderr.dev@gmail.com)

0x00: Introduction

Surely most of you are familiar with Facebook, one of the most popular social networking sites on the Internet.

Many faithful users once praised its simplicity and its elegance.  Then, one fatal day in late May, Facebook unveiled its development platform, unleashing a flood of third-party application add-ons to the masses registered on Facebook.  Thousands of eager users mindlessly added these feature enhancements.  Many of Facebook's most faithful users began to get agitated with all the traffic coming from their friends, who were starting virtual food fights, and in some cases even began virtually biting friends (creepy).  Along with the shear annoyance of these applications, a new question of security was introduced.

Now that you have all of these neat gadgets at your disposal, what else are you allowing onto your page? Facebook's application help page states that "...applications built by third-parties do not affect the privacy of your information in any way.  Your account information is still secure and we ensure that no third-parties store or collect any of your information."

As Facebook stated, your stored information is safe, but how is the authentication on the applications themselves?  This is left completely up to the plugin developers.  As we will see shortly, many developers did not take security very seriously as they developed and released these applications.

Due to the overwhelming number of applications, we are only going to take a look at three sample Facebook applications.  These applications should give you an idea about some of the privacy and security issues that come with adding Facebook applications.

0x01: Firebug

Before we begin, I highly suggest that you download the Firefox plugin called Firebug.

It is an amazing tool that allows you to develop and debug websites.  More importantly to us, it allows you to alter the client-side code before submitting a form.  In order to jump to a place in the code, right-click on the desired section of the page and click Inspect Element.  There are several ways of altering the pages given below, but this seems to be more efficient than manually editing the GET variables in the given URLs.

0x02: Moods

The first application we will look at is simply called "Moods."

Moods is a very simple application that allows you to set your current state of mind and display it to your friends.  A neat feature includes the ability to store the history of your past mood settings and changes.

This application seems simple enough.  Where could there possibly be a security lapse?  I am glad you asked.

First of all, when you view someone's mood history, the application does not ensure that you are a friend of the person whose history you are viewing.  Okay, big deal: someone can see the history of my past moods.  I couldn't care less!

Well, anyone could easily automate the task of grabbing everyone's current mood.  Subsequently, this could be used in conjunction with other data for future phishing or social engineering attacks.  For instance, people that are currently depressed or confused may tend to be more prone to falling for something stupid.

To see someone's moods history, simply substitute the target's Facebook ID where the X's are:

http://apps.facebook.com/emoting/?page=history&uid=xxxxxxxxx

Thank you for hanging with me this far.  Hopefully this example motivated the hamster to start running in your head.

If you are following my thought pattern, the next logical step would be to try to set your mood and see what happens.  When you click the icon to set your mood, a URL like the following is used to update your status:

http://neo.hotornot.com/facebook/emoting/set_mood?emo_id=xx&fb_sig_in_iframe=1&fb_sig_time=1183868333.4734&fb_sig_user=xxxxxxxxx&fb_sig_profile_update_time=1183845237&fb_sig_session_key=ljaoduf982309audsoifuiaj34iajidjdd&fb_sig_expires=0&fb_sig_api_key=ao3obau90ua0983209809809832098138&fb_sig_added=1&fb_sig=3ljaljdsioajljl3223209a0932a4abe

Yes, you guessed it.  Moods does not authenticate to ensure that you are setting your current mood.

Simply change the fb_sig_user variable to another person's ID, and you can update how they are feeling.  Do not tell me how I feel!

0x03: Free Gifts

Facebook came out with a feature that allows you to give virtual gifts to your friends.

Maybe you want to send a picture of a rose, a picture of a hamburger, or a picture of handcuffs to your friend.  That is all fine and dandy, but then Facebook decided to charge you $1 per gift.  Most of us are too cheap to actually pay $1 to send a stupid picture to someone on the Internet.  Enter the Free Gifts application.

Free Gifts is just as the name would suggest.  It is an add-on that allows you to send and receive free gifts to and from your friends.  The flaw in this application is eerily similar to the one found in Moods.

You can view the gifts received by anyone (friend or not), simply by altering the ID number sent to the Facebook application:

http://apps.facebook.com/freegifts/?to=xxxxxxx

Again, simply change the ID, and you can view that person's received gifts.  You may have guessed it by now, but you can also send a free gift to any person that uses the Free Gifts application, friend or not.

You probably noticed while looking at some random person's received gifts, that there is a Send a Gift button on the top left portion of the page.  Sending this person a gift is not quite as easy as simply clicking the button, but it might as well be.

After you have clicked to send a gift, select the gift to send.  Now, you have to choose a recipient.  Select from Friends With Free Gifts.  You might notice that if a person's not a friend, then you can't send them a gift.

Now is when Firebug starts to shine.  Right-click on the dropdown menu of friends and inspect the element.  You will see a list entry like the following:

<option value="xxxxxxxxx">MyFriend</option>

Simply alter the values to reflect the person that you want to send the gift to.  You can send the gift anonymously, or you can just be a creepy stalker and send the gift from your own profile.

So far we have been able to view or change anyone's mood, and we have been able to send gifts to anyone with the Free Gifts application.  What comes next?

0x04: Super Wall

When you setup your Facebook account, they give you a virtual "wall" where friends can post public comments to your profile.

This is kind of cool, but there are some limitations.  You cannot post an image or a video to a friend's wall.  Well, the inventors of Super Wall have come to the rescue.  This application allows simple text messages, picture messages, and even links to web videos served up by Google or YouTube.

My original testing with Super Wall included trying to link to an off-site image, in an attempt to track profile views.  Facebook counters this by caching every image used in third-party applications.

Therefore, all requests to images are effectively handled locally by Facebook's web servers.  This helps reduce the server load on any third-party websites.

Since my first attempt was shot down, I decided to look into other aspects of Super Wall.  For my second test, I posted a simple text message to my own Super Wall.  Awesome, everything is working.  Finally, I took a look at what was going on behind the scenes.

Firebug came to the rescue again as I inspected the Post button for the Super Wall application.  Interesting:

<input type="hidden" value="xxxxxxxxx" name="fb_sig_profile" /> <input type="hidden" value="11838323i6.0082" name="fb_sig_time" /> <input type="hidden" value="xxxxxxxxx" name="fb_sig_user" /> <input type="hidden" value="1183835287" name="fb_sig_profile_update_time" /> <input type="hidden" value="1340983509832098109284098320958203" name="fb_sig_session_key" /> <input type="hidden" value="0" name="fb_sig_expires" /> <input type="hidden" value="22341344150983210981039859083235" name="fb_sig_api_key" /> <input type="hidden" value="1" name="fb_sig_added" /> <input type="hidden" value="23919218214912931049381098314893" name="fb_sig" /> <input type="hidden" value="XXXXXXXXX" name="owner_id" />

The fb_sig_user field is the Facebook user ID of the person posting the comment, and owner_id is the Facebook user ID of the Super Wall's owner.

When writing to your own Super Wall, both of these fields will be equal to your Facebook user ID.

Unlike the previous applications, Super Wall ensures that you are on the person's friend list before you can post to his or her Super Wall.  However, if you change the value of fb_sig_user to a friend's ID, the result will be a wall post from your friend.  You have now spoofed a comment from one of your friends onto your own wall.  Wow, this could get ugly.

After further tweaking, I was also able to post on a friend's Super Wall as someone else, simply by altering both the owner ID and fb_sig_profile fields accordingly.  The person you are posting as does have to be a friend of the wall's owner in order for this to work.

Phishers could easily abuse Super Wall by spoofing messages to people by assuming a friend's identity.  The phisher could then post malicious links, and the victim would likely not even think twice about going to the given address.  Spammers could also automate posting messages from friends to people's walls.  One way developers could help defend against this attack is by adding a picture box confirmation tool that would be presented before posting the messages to the walls.

0x05: Conclusions

We just finished up with a quick look into some of the security concerns with Facebook's new third-party applications.

There are hundreds of available add-ons, and looking at the security on all of them is something I will leave up to the readers.  These security lapses could easily lead to spam or phishing attacks on you and your friends.

Thanks to the new applications, it is now possible to pose as someone else, without ever cracking a password.  Please think twice before adding another application to your Facebook profile.

Embrace simplicity.

Shout-outs:  Everyone at BinRev, venom, ny0n, Dan, Todd, Michelle, Anna, and all my college friends.