Hackers target Facebook apps

Hackers have turned their attention to Facebook's hundreds of independent applications. The results are not terribly surprising, but do not tell a good tale: app developers don't seem to know a thing about basic security, and are putting private user information at risk. As a result, malicious hackers are able to access and change what should be private user data managed by the application providers.

Just a few months after this blog brought you exclusive news of privacy problems in Facebook's application system, we are now already seeing the consequences of Facebook's decision to pass the buck on on application security and privacy. Facebook shares user data with a large number of third-party application developers (without user consent), who then leave the data open to hackers due to nonexistent security and privacy protections. We at Surveillance State would be lying if we said we didn't see this coming.

Third-party developers

As I mentioned in a blog post back in January, Facebook permits application developers to get access to large amounts of sensitive data, all without clear user consent. Simply put, whenever a user installs a Facebook app, the developers of that application get access to data on every person who that user is Facebook 'friends' with, as well as most of the people in that user's network. While Facebook makes it perfectly clear when users install an application that developers will get access to their data, it doesn't do anything at all to warn users that the same data sharing occurs when their friends install apps.

Facebook has its legal bases covered though, as its Terms of Service clearly state that the company is in no way responsible for anything that the developers do with user data. It further notes that the company does nothing at all to verify that developers are doing anything at all to protect user data, or that they are not storing data beyond the time needed to process the application request (a strict no-no). The terms of service state:

"[each application] has not been approved, endorsed, or reviewed in any manner by Facebook...we are not responsible for...the privacy practices or other policies of the Developer. YOU USE SUCH DEVELOPER APPLICATIONS AT YOUR OWN RISK."

Flaws in apps, users at risk

According to a recent article in 2600, the Hacker Quarterly, many popular Facebook applications are vulnerable to trivial attacks, which permit a nefarious person to both set and read the data associated with that app. The 2600 article uses apps Moods, Free Gifts, and Super Wall to prove its point.

Quite simply, the developers have no authentication mechanism in place on their own servers when processing queries issued by a Facebook application. The developers rely instead, on the Facebook app itself playing by the rules. A nefarious hacker merely needs to intercept the Web request issued by the app, and replace his/her own Facebook ID with that of a potential victim.

While the 2600 article is not online, a reader of the Consumerist blog summarized it online:

In all three of those applications, User A can very easily modify User B's data by intercepting a form and modifying the uid (Facebook user ID) before transmission. In addition, with some applications, User A can gain access to stored application data (e.g. history, etc.) for any User B, whether they are friends or not. Such applications blindly trust form data that can easily be tampered with, which is very clearly a bad idea.

The Moods application allows unauthorized users to view the mood histories of non-friends, and with Firebug, anyone with the app can intercept their own mood change form before submitting it, change the uid in the form, and change someone else's mood.

Super Wall has a similar vulnerability that allows someone to intercept the form in a similar way and spoof messages from ANYONE to ANYONE (even a non-friend) just by changing the to and from uid's.

This is not rocket science, but far closer to computer security 101. Microsoft's Larry Osterman has written about these kinds of flaws on his own blog, describing his effort to educate Microsoft's programmers:

It takes a special mindset to think like a bad guy. Not everyone can switch into that mindset. For instance, I can't think of the number of times I had to tell developers on my team "It doesn't matter that you've checked the value on the client, you still need to check it on the server because the client that's talking to your server might not be your code."

On Wednesday, I spoke with Adrienne Felt, the University of Virginia researcher whose report first highlighted the excessive and dangerous data sharing that happens between Facebook and its Application developers. When asked for her thoughts on the lack of authentication and security at major Facebook apps, Adrienne told me that, "sadly i am not surprised at all" as "apps are written by people who just barely know anything about coding."

For those of you interested in learning more, someone has taken the time to record a screencast of the attack in action. All that's needed is a Facebook account, the Firefox browser, and the Firebug browser add-on.

[KeeganHill]

Sorry, but why do hackers do such childish things? I understand the ones that attack businesses for money, because the incentive is money. But what do they get out of Facebook? Nothing, except maybe a stupid little prank. These hackers need to grow up.

[AppleSuxLeo]

This just in ! Gone in 2 minutes: Mac gets hacked first in contest Macs are swiss cheese. It`s time to start hacking Macs.

[firewallender]

"According to a recent article in 2600" - If I recall 1600 brought this up in December 2007.

You can get a back issue at: http://2600hacker.stores.yahoo.net/2007.html

[firewallender]

Sorry, 2600, typo there...

[junxie]

Link to http://tips-notebook.blogspot.com to this news... tanks

[dbargen]

This shouldn't be surprising to anyone. FB users are notoriously quick to 'install' web apps with their account with little regard for the way they're made. This would be an exteremely successful way to profile people's addresses for SPAM, seeing how they have groups dedicated to this or that, and people's lists of favorite this or that.

Rolling back apps on FB would be one of the defining ways to improve the network for what it should be: a social info network. However, these apps keep ppl's eyeballs on the site for many times the amount of time, so that isn't likely to happen without extreme pressure.

[dbargen]

In reply to the 'swiss cheesed' mac, it was done using malicious code on a site after trying and failing to hack it direcly, and we don't know if it was running an updated version of safari. Anyone with common sense could have avoided that pitfall.

[rgnitz]

Ha... I saw this problem coming five months ago. Take a look at the post I wrote.

http://deftlabs.com/2007/10/facebook-application-security/

[outers55]

User data is incredibly valuable, so I can see why it would benefit hackers. The thing that bothers me is that it sounds like I don't even have to install the app (and maybe not even someone on my friends list) to be compromised. This seriously shakes my faith in Facebook as someone who has always been very selective about who I add to my friends list. Also, CNET has their own facebook app, one of the few I actually installed. I hope they are doing a good job protecting my information and that of my friends.

[private-internet]

It will only get worst before it gets better ..

[Micr0ft]

HI Chris, great article. I linked to it here: http://michaelmknight.co.uk/main/?p=47 I hope you don't mind.

Thanks

Mike

[gummycaramelapple]

Hackers seem to get away with everything... and ruin everyone's fun playing the games. There are many videos on youtube that teach people how to hack into the games on facebook. If any of you have played any of the games on facebook such as, "geochallenge" or "who has the biggest brain?", then I think you understand what I'm talking about. From my experience, it's best to not take chances and avoid using the applications on facebook alltogether.