Monday, January 27, 2014

Hacking Facebook Connect

TL;DR Every website with "Connect Facebook account and log in with it" is vulnerable to account hijacking. Every website relying on signed_request (for example official JS SDK) is vulnerable to account takeover, as soon as an attacker finds a 302 redirect to other domain.

I don't think these will be fixed, as I've heard from the Facebook team that it will break compatibility. I really wish they would fix it though as you can see below, I feel these are serious issues.

I understand the business reasons why they might choose so, but from my perspective when you have to choose between security and compatibility, the former is the right bet. Let me quickly describe what these bugs are and how you can protect your websites.

CSRF on login to hijack your identity.
It's higher level Most-Common-OAuth-Vulnerability (we attached Attacker's Social Account to Victim's Client Account) but here even Clients using "state" to prevent CSRF are vulnerable.

<iframe name="playground" src='data:text/html,<form id="genform" action="" method="POST"><input type="hidden" name="email" value=""><input type="hidden" name="pass" value="password"></form><script>genform.submit()</script>'></iframe>

FYI we need data: trick to get rid of Referer header, Facebook rejects requests with cross domain Referers.

This form logs victim in attacker's arbitrary account (even if user is already logged in, logout procedure is trivial). Now to all OAuth flows Facebook will respond with Attacker's profile information and Attacker's uid.

Every website with "Connect your Facebook to main account to login faster" functionality is vulnerable to account hijacking as long as attacker can replace your identity on Facebook with his identity andconnect their Facebook account to victim's account on the website just loading CLIENT/fb/connect URL.

Once again: even if we cannot inject our callback with our code because of state-protection, we can re-login user to make Facebook do all the work for us!

Almost all server-side libraries and implementations are "vulnerable" (they are not, it's Facebook who's vulnerable!) : omniauth, django-social-auth, etc. And yeah, official facebook-php-sdk.

(By the way, I found 2 bugs in omniauth-facebook: state fixationauthentication bypass. Update if you haven't yet.)

Mitigation: require CSRF token for adding a social connection. E.g. instead of /connect/facebook use /connect/facebook?authenticity_token=123qwe. It will make it impossible for an attacker to start the process by himself.

Facebook JS SDK and #signed_request
Since "redirect_uri" is flexible on Connect since its creation, Facebook engineers made it a required parameter to obtain "access_token" for issued "code". If the code was issued for a different (spoofed) redirect_uri, provider will respond with mismatch-error.

signed_request is special non-standard transport created by Facebook. It carries "code" as well, but this code is issued for an empty redirect_uri = "". Furthermore, signed_request is sent in a #fragment, so it can be leaked easily with any 302 redirect to attacker's domain.

And guess what — the redirect can even be on a subdomain. of our target! Attack surface gets so huge, no doubt you can find a redirecting endpoint on any big website.

Basically, signed_request is exactly what "code" flow is, but with Leak-protection turned off.

All you need is to steal victim's signed_request with a redirect to your domain (slice it from location.hash), then open the Client website, put it in the fbsr_CLIENT_ID cookie and hit client's authentication endpoint.

Finally, you're logged in as the owner of that signed_request. It's just like when you steal username+password.

Mitigation: it's hard to get rid from all the redirects. For example Facebook clients like soundcloud, songkick, foursquare are at the same time OAuth providers too, so they have to be able to redirect to 3rd party websites. Each redirect to their "sub" clients is also a threat to leak Facebook's token. Well, you can try to add #_=_ to "kill" fragment part..

It's better to stop using signed_request (get rid of JS SDK) and start using (slightly more) secure code-flow with protections I mentioned above.

In my opinion I'd recommend not using Facebook Connect in critical applications (nor with any other OAuth provider). Perhaps it's suitable quick login for a funny social game but never for a website with important data. Use oldschool passwords instead.

If you must use Facebook Connect, I recommend whitelisting your redirect_uri in app's settings and requiring user interaction (clicking some button) to start adding a new connection. I really hope Facebook will change their mind, to stay trustworthy identity provider.

Sunday, January 26, 2014

Twitter Increase Followers Hack

It seems, there is a bug in twitter’s web application. The bug allows anyone to increase their followers count. This can be achieved by performing the following steps:
  1. Login with any twitter account, other than the account whose followers need to be increased.
  2. Go to the twitter account page whose followers need to be increased.         ( )
  3. Continuously click on the follow button beneath the twitter header image.
Clicking takes a lot of time, so I used the following script to generate click events.

Now, instead of doing step 3, open up the javascript console in any browser, and execute the above script.

You will see that the followers count starts increasing. The followers increase until the daily follow limit is reached.
Now you may check that account from your phone or any other browser, and the followers count would have increased.
The changes in the count stay for sometime and are not permanent, though the time varies. This maybe because the changes take place in a caching server or something.

It’s been 6 hours and my last increase in count still hasn’t reverted to the original count.  

Monday, January 06, 2014

Google Alert - White Hackers

News 1 new result for White Hackers
Is now the time to invest in cyber security? Fox Business
See all stories on this topic »

Unsubscribe from this alert.
Create another alert.
Manage your alerts.

Friday, January 03, 2014

Google Alert - White Hackers

News 10 new results for White Hackers
Can Snapchat Recover from Hack Attack? Fox Business
Just one week after being warned of its vulnerabilities by a group of white-hat hackers, Snapchat found itself the target of an attack. Late Tuesday, 4.6 ...
See all stories on this topic »
Hackers Attack Snapchat To "Raise Awareness" About Security Fast Company
"Security matters as much as user experience," say the white-hatted hackers, who are hoping their actions will force Snapchat to fix the hole. By Addy ...
See all stories on this topic »
Millions of Snapchat users' private information released by hackers Herald Sun
The vulnerability was first found and published in August by an anonymous Australian collective of "white hat" hackers, Gibson Security, along with ...
See all stories on this topic »
Barnaby Jack's Death an Overdose Daily Beast
The death of famed "white hat" hacker Barnaby Jack, known as a genius in the information security world and the life of the party to friends, has been ...
See all stories on this topic »
Top 10 Security Breaches Of 2013 CRN
White-hat hackers who produce research and uncover flaws and cybercriminal hackers who threaten to undermine defenses both contribute to the ...
See all stories on this topic »
Was your Snapchat account hacked? Sydney Morning Herald
Despite where their URL redirects, Smidlein and Trencheny said they are not affiliated with Gibson Security, the Australian white-hat hackers who ...
See all stories on this topic »
Snapchat hacked; The group SnapchatDB urges the app to tighten ... WPTV
Last week, Gibson Security -- a group of "white hat" hackers, meaning they don't exploit the security gaps they find -- published what they said was ...
See all stories on this topic »
Hacky New Year: Snapchat, Skype fall victim to hackers One News Page
White-hat hackers often give organizations a limited time period to fix security flaws before releasing sensitive data to the public in an effort to put ...
See all stories on this topic »
Syrian Electronic Army Seems More Interested in Hacking Than Syria The Wire
In their biggest coup in April, the SEA hacked into the Associated Press's Twitter account and wrote that the White House was under attacked, sending ...
See all stories on this topic »
Snapchat Knew It Was Vulnerable To Hackers In August But Denied ... Houston Chronicle
... Snapchat was revealed to Snapchat back in August by Gibson Sec, a group of white hat (i.e. "good guy") students interested in hacking and security.
See all stories on this topic »

Unsubscribe from this alert.
Create another alert.
Manage your alerts.