Monday, July 23, 2007

Moods (Emoting)

This one's very interesting. Moods is vulnerable to the typical problem that we've seen in the past. Mainly, viewing a non-friend's mood history. In order to check out someone's history, simply alter the following url.

http://apps.facebook.com/emoting/?page=history&uid=xxxxxxxxx

Obviously substituting the person's id for the uid variable.

Now, here's the twist with this application. It doesn't even check to ensure that you are trying to set YOUR OWN MOOD! Yes, you can update someone's mood for them. Simply go to http://apps.facebook.com/emoting/ and copy the link to Update My Mood. It'll look something like the following. Now just substitute the proper ID for fb_sig_user.

http://neo.hotornot.com/facebook/emoting/main?fb_sig_in_iframe=1
&fb_sig_time=1182223441.0801&fb_sig_user=xxxxxxxxx&other_variables

My Greeting Cards

*Yawns* Same thing. My Greeting Cards Allows you to send greeting cards to non-friends. Custom text can be sent along with the card as well.

  1. Click on My Greeting Cards application.
  2. Enter a friend's name.
  3. Change recipient_id value.
  4. Send gift

Superlatives

I'm seeing a trend here... Superlatives allows you to make predictions about friends that others can vote on, like "so and so is most likely to sell their soul for a donut." Cute. Except you can predict about non-friends too.

Easter Egg

Another non-friend attack. Easter Egg lets you post messages on your profile that only certain friends can read. Like other apps, you can trick it into leaving messages for people who aren't your friends. Because it's on your profile there isn't much danger here, but the app will give you the option of sending a notice to the recipient. They might not appreciate receiving messages from people they haven't added as friends, but that's about as much damage as you can do with this bug.

Sunday, July 22, 2007

Poke Pro

Poke Pro allows you to do any number of actions to a friend. At least, that's what it's supposed to allow. Poke Pro also allows you do do these events to anyone with the application in their profile... friend or not.

Poking random people
  1. On your own profile, enter the name of a friend in your Poke Pro box.
  2. Alter the id value to reflect the id of the person you wish to poke.
  3. Go!


How annoying would it be to constantly get drop kicked by people you don't know?

Fun Wall

The Fun Wall application has the same vulnerability as the aforementioned Super Wall application. You can post messages on a wall as another person.

Exploiting the identity theft.

  1. Proceed to the target's profile.
  2. Enter the desired message into the Fun Wall form.
  3. Change fb_sig_user to the id of the person you wish to post as. (Firebug)
  4. Post.

Sticky Notes

The Sticky Notes application contains a vulnerability that allows you to send a sticky note to any Facebook member, even if they aren't your friend. The application description suggests that this is not the designer's intention.

This can be exploited by writing a new note, and when you're asked to choose the recipients:
  1. Enter the name of one of your friends.
  2. Find the Facebook ID of the person you want to send the sticky to.
  3. Substitute the form's recipient1 value with the ID of your target. (Firebug makes this easy.)
Too easy. Why are we letting amateurs write code for a social networking site of this stature?

Free Gifts

Note: I highly suggest that you install Firebug for tweaking web pages.

Facebook came out with a feature that allows you to give virtual gifts to your friends. Maybe you want to send a picture of a rose, a picture of a hamburger, or maybe a picture of handcuffs to your friend. That is all fine and dandy, but then Facebook decided to charge you $1 per gift. Most of us are too cheap to actually pay $1 to send a stupid picture to someone on the Internet. Enter Free Gifts application.

Free Gifts is just as the name would suggest. This add-on allows you to send and receive free gifts to and from your friends. Unfortunately, you can view the gifts received by anyone (friend or not), simply by altering the id number sent to the Facebook application.

http://apps.facebook.com/freegifts/?to=xxxxxxxxx

Simply change the id, and you can view that person’s received gifts. You may have guessed it by now, but if not, you can send a free gift to any person that has the free gift application on their profile... friend or not.

You probably noticed while looking at some random person's received gifts, that there is a "Send a Gift" button on the top left portion of the page. Sending this person a gift is not quite as easy as simply clicking the button, but it might as well be. After you have clicked to send a gift, select the gift to send. Now, you have to choose a recipient. Select from "Friends With Free Gifts". Oh great, that person's not a friend, I can't send them a gift. Now is when Firebug starts to shine. Right click on the drop down menu of friends and inspect the element. You will see a list entry like the following.

<option value="xxxxxxxxx">My Friend</option>

Simply alter the values to reflect the person that you want to send the gift to. You can send the gift anonymously, or you can just be a creepy stalker and send the gift from your own profile.

Super Wall

When you setup your Facebook account, you are given you a virtual "wall" where friends can post public comments to your profile. This is kind of cool, but there are some limitations. You cannot post an image or a video to a friend's wall. Well, the inventors of Super Wall have come to the rescue. This application allows simple text messages, picture messages, and even links to web videos served up by Google and by Youtube.

My original testing with Super Wall included trying to link to an off-site image, in an attempt to track profile views. Facebook counters this by caching every image used in third party applications. Therefore, all requests to images are effectively handled locally by Facebook. This helps reduce the server load on any third party websites.

Since my first attempt was shot down, I decided to look into other aspects of Super Wall. For my second test, I posted a simple text message to my own Super Wall. Awesome, everything is working. Finally, I took a look at what was going on behind the scenes.

<input value="xxxxxxxxx" name="fb_sig_profile" type="hidden">
<input value="11838323i6.0082" name="fb_sig_time" type="hidden">
<input value="xxxxxxxxx" name="fb_sig_user" type="hidden">
<input value="1183835287" name="fb_sig_profile_update_time" type="hidden">
<input value="1340983509832098109284098320958203" name="fb_sig_session_key" type="hidden">
<input value="0" name="fb_sig_expires" type="hidden">
<input value="22341344150983210981039859083235" name="fb_sig_api_key" type="hidden">
<input value="1" name="fb_sig_added" type="hidden">
<input value="23919218214912931049381098314893" name="fb_sig" type="hidden">
<input value="XXXXXXXXX" name="owner_id" type="hidden">

The fb_sig_user field is the Facebook user id of the person posting the comment, and owner_id is the Facebook user id of the Super Wall’s owner. In this case both of these fields will be equal to your Facebook user id.

Super Wall ensures that you are on the person's friend list before you can post to his or her Super Wall. However, if you change the value of fb_sig_user to a friend’s id, the result will be a wall post from your friend. You have now spoofed a comment from one of your friends onto your own wall. Wow, this could get ugly.

After further tweaking, I was also able to post on a friend's Super Wall as someone else, simply by altering both the owner_id and fb_sig_profile fields accordingly. The person you are posting as does have to be a friend of the owner's wall in order for this to work.

Phishers could easily abuse Super Wall by spoofing messages to people by assuming a friend’s identity. The phisher could then post malicious links, and the person would likely not even think twice about going to the given address.

Introduction

For those of you that have been clamoring about the addition of Facebook applications, we have decided to add more fuel to the fire. We have started exposing some of the additional problems (other than the sheer annoyance) introduced by adding third party code onto your Facebook page. Due to the overwhelming number of applications, we don't have time to check every application for security issues. This is where you as the community come in. Go out, and start testing the various applications, and then submit your results.

During my initial research, I covered the SuperWall, Moods, and Free Gifts applications. All three had problems, but I believe the Moods application has been fixed to some degree. Further testing will follow.