Did you hear about that really dangerous security hole that allows attackers to manipulate third party Facebook applications to hack into your Facebook account? Skype and Dropbox both said they fixed a web site redirection vulnerability that both companies fixed before the vulnerability was disclosed? Great news, right?
Right. Except for the fact that the same vulnerability may exist in hundreds, or even thousands of other Facebook applications and still provides a ready pathway into Facebook accounts, according to Nir Goldshlager, the Israeli security researcher who discovered the vulnerability.
Goldshlager described the vulnerability, which he named the “UnFix Bug” on his web site in a post on Wednesday, after discussing details of the hole with the online publication TechCrunch. It is just the latest in a string of security holes he has discovered in OAuth, an open authentication standard used by social networking sites like Facebook and Twitter.
The vulnerability allows a remote attacker to abuse Facebook’s implementation of OAuth to steal a victim’s access_token, given the attacker control over the victim’s Facebook account with the current permissions of the Facebook application, Goldshlager told The Security Ledger in an online chat on Friday.
Prior to posting details of the flaw, he worked with both Skype and Dropbox to close off redirection vulnerabilities on their websites that could be used to exploit Facebook users. But word of the vulnerability’s demise were greatly exaggerated. Two specific site redirect vulnerabilties that could be used to launch the attack were closed, but similar redirect flaws exist in many domains linked to Facebook applications. Any of those could be used to steal Facebook users’ credentials, Goldshlager explained.
“This is a design flaw in Facebook OAuth,” he wrote. “Most of the sites today suffers from site redirection issues, and…an attacker also (is) able to use a subdomains (sp) of the owner (application).”
Popular application publishers like Zynga are a natural target, given their prevalence on Facebook accounts and their large web presence. Redirect holes in Zynga.com or any of its subdomains could be used, in conjunction with any Zynga application, to steal user credentials. Even Skype and Dropbox could still be vulnerable, Goldshlager wrote, provided an attacker can find a site redirection hole somewhere on their public web page.
“If the attacker will find another site redirection in skype.com or subdomains of Skype.com, He will be able to exploit it again,” he wrote.
Goldshlager said that the perception that website redirection holes are low priority security issues is incorrect.
“Everyone think (sp) that site redirection is a low issue,” he wrote. “But when it comes to OAuth, the site redirection become more serious issue that allow (sp) an attacker steal access_tokens of Facebook apps.”
Specifically, Facebook’s implementation of OAuth uses a parameter called “redirect_uri” Goldshlager has shown that attackers can exploit bypass a security measure, “regex protection” and combine that with the site redirection to send a Facebook access token to an external website controlled by the attacker, where it was stored for later use. Coupled with the redirection flaw on the publisher’s (trusted) web site, the redirect_uri parameter can be used to siphon off access credentials for Facebook accounts.
Contacted by The Security Ledger, a Facebook spokesman said that a number of pieces have to fall into place for the vulnerability to be used successfully in an attack. Users first have to install the application on their Facebook profile and the web site for that application’s publisher has to have a site redirection vulnerability in it. Finally, the application needs to have verbose permissions that the attacker can exploit. However, Goldshlager argues that all three of those conditions are easily satisfied. Once attackers understand how the hack works, it will be appealing to them, he said.
Goldshlager is well known for his work testing the Facebook platform. In March he published information on a similar OAuth hack that would divulge Facebook user credentials using malicious apps, even if no third party applications had bee installed.
He is one of a handful of security researchers who have focused their energies on looking for holes in the Facebook implementation of OAuth. In February, for example, a security researcher, Egor Homakov, tied together the Chrome XSS Auditor and a string of vulnerabilities to craft an exploit that could obtain a Facebook user’s signed_request, code and access token for any client_id previously authorized on Facebook. The OAuth2 framework, he said, is quite insecure with a “gigantic attack surface, all parameters are passed in URL.”
The job of identifying and shutting down exploitable redirection vulnerabilities lies with the third party application publishers, Goldshlager said. However, its possible that Facebook will find a way to alter their application architecture to eliminate the vulnerability once and for all. In doing so, however, the company risks breaking applications – so it must tread carefully, Goldshlager said.
Facebook has had its share of security woes in recent months. They include a targeted “watering hole” style attack that compromised computers belonging to company employees. Researchers have also shown that even normal interactions with social networking sites like Facebook can be used to obtain otherwise private information from users.