For all the credit Facebook has received for its privacy controls and user safety, the site still falls prey to an unsettling number of security issues and potential data breaches. Last month a botched code push accidentally revealed private user email addresses, and before that Facebook accidentally sent private messages to the wrong recipients. Today, security engineer Joey Tyson, AKA theharmonyguy, has detailed a major security hole in Facebook Platform — one that would allow a malicious website to silently access a user’s profile information, photos, and in some cases, messages and wall posts, with no action required on the user’s part.
The exploit, which we’ve confirmed has now been patched, could hijack the session of a previously authorized third party Facebook application and invisibly pass it off to a malicious app. In his proof-of-concept, Tyson embedded Farmville in an invisible frame on his site. He then used some trickery with Facebook Platform parameters to pass all access rights Farmville had on to a malicious data harvesting application. In short, any of the many millions of people who had previously installed Farmville and visited the apparently benign proof-of-concept site would have their data invisibly harvested. If the user had granted Farmville additional permissions to access their Wall or messages, then the malicious app would have them too. Tyson only used Farmville in this instance because of its massive install base, but he could have used any other third party app.
Fortunately, Tyson doesn’t have reason to believe this exploit has been abused, stating “It’s unlikely that any real-world attacks used this particular vulnerability, and I certainly have no record of such a case.” But he also notes that it may have existed for a year or longer.
Further, Tyson thinks that Facebook still has problems with the way Platform is set up that expose it to vulnerabilities like this:
I commend Facebook for responding quickly to this issue and for being open to white-hat security reports. But in my opinion, this vulnerability is simply the latest reminder that the Facebook Platform can open users to many problems quite separate from the security of Facebook itself. I personally think that aspects of the Platform’s implementation fail to match user expectations of privacy, as I’ve discussed previously. And while this particular problem may be solved, vulnerabilities in specific applications and the nature of application access continue to put private data at risk of unwanted disclosure.
For more technical details on how the exploit worked, check out Tyson’s post. Tyson has written quite a few other articles detailing flaws with Facebook security, including his Month of Facebook Bugs, which exposed some serious issues with Facebook Platform last October (he notes that some of these have since been fixed).