WHID 2011-30: Facebook plugs gnarly authentication flaw
Entry Title: WHID 2011-30: Facebook plugs gnarly authentication flaw
WHID ID: 2011-30
Date Occurred: February 2, 2011
Attack Method: Content Spoofing
Application Weakness: Insufficient Authentication
Outcome: Leakage of Information
Attacked Entity Field: Web 2.0
Attacked Entity Geography: Palo Alto, CA
Incident Description: the vulnerability stems from a bug in one of
Facebook¹s authentication mechanisms, Rui explained.
The vulnerability enables the malicious website to impersonate any other
websites to cheat Facebook, and obtain the same data access permissions on
Facebook those websites receive. Bing.com by default has the permission to
access any Facebook users' basic information such as name, gender, etc, so
our malicious website is able to de-anonymize the users by impersonating
Bing.com. In addition, due to business needs, there are many websites
requesting more permissions, including accessing to a user's private data,
and publishing content on Facebook on her behalf. Therefore, by
impersonating those websites, our website can obtain the same permissions to
steal the private data or post phishing messages on Facebook on the user's
behalf.
The exploit is generic, so we do not need to write an exploit for each
Facebook app/website. The only parameter we need is the app ID of a Facebook
app/website.
Mass Attack: No
Reference:
http://www.theregister.co.uk/2011/02/02/facebook_plugs_authentication_flaw/
Attack Source Geography:
Attacked System Technology: Facebook
Additional Link: http://www.youtube.com/watch?v=chATOThshtY