Several weeks ago, Rui Wang and Zhou Li, under guidance of Prof. XiaoFeng Wang and me, discovered a security vulnerability in one of Facebook’s authentication mechanisms. We privately notified Facebook soon after. It was fixed last week. Facebook security team considered this a “serious vulnerability”. They acknowledged us on the Facebook Security White Hats page.
A video showing the attack is uploaded to YouTube. The vulnerability allows a malicious website to impersonate any legitimate website. As shown in the video, this has a number of implications: (1) any user with a valid Facebook session will lose his/her anonymity and privacy. Specifically, any website (e.g., with embarrassing or sensitive contents) can obtain the user’s name registered on Facebook, which is typically his/her real name. This is because we can impersonate Bing.com, which can get the user’s basic information. No user consent is required. (2) if the user has ever granted any website, such as NYTimes, YouTube, Farmville or ESPN, the permission to connect to his/her Facebook account, further damages can be inflicted, which includes disclosure of private data that the user does not want to share with others, and impersonation of the user to post bogus news/comments/updates on friends’ walls.
This article gives details about how a malicious website can steal the authentication token that Facebook tries to pass to the victim website: Informatics students discover, alert Facebook to threat allowing access to private data, bogus messaging
The patience and the agility demonstrated by Rui and Zhou leading to this finding impressed me a lot. This authentication mechanism is a part of Facebook’s platform code. I would like to think that it had been carefully examined by many pairs of eyes for its security. Rui and Zhou started with a number of hunches, but after they actually tried these ideas, they were quite frustrated. At one point, they felt that what they were doing was in a direct confrontation with what Facebook tried to block. Despite the initial frustration, they kept going deeper, until the final missing piece was found – the unpredictable domain communication of Adobe Flash. Really nice job, guys!
Here are a collection of news articles about this finding since yesterday:
Facebook flaw allowed websites to steal users’ personal data without consent, Naked Security
Facebook plugs gnarly authentication flaw, Register
New Facebook vulnerability patched, ComputerWorld
Facebook Fixes Security Vulnerability, eWeek