facebook
I logged out of the mobile interface on my AT&T cell phone. "Just in case"
What is also frightening / interesting is that facebook seems to link
the two sessions so that when I logged out of the phone based session to
m.facebook.com, I was also logged out of my web based session as well.
Even more interesting is that trying to login to facebook on two
separate browser sessions won't work. I.e. if I login to facebook on one
computer, and then login again on another computer, or on the same
computer in a different browser (i.e. firefox for one session and i.e.
very fast response time from DirectNIC, which we appreciate.
The worm is still fast-spreading, watch the statistics as they fly:
http://www.d9.pl/system/stats.php
The facebook security team is working on this, and they are quite capable.
The security operations community has been doing analysis and
take-downs, but the worm seems to still be spreading.
All anti virus vendors have been notified, and detection (if not removal)
should be added within a few hours to a few days.
the session ID is generated and stored (being a mobile device this is a
bit more complicated than just setting cookies), it wouldn't necessarily
be a routing problem on the network layer, but could be a routing
problem within the application because of cached resources.
If, for example, facebook set the cookie in a non https session, or in
the url or via a redirect to a uniquely generated page name which in
turn set the cookie depending on the variables passed in a URL or other
cached content, and two users browsed the page content in relatively
short periods of time, the session cookie issued would be identical.
Meaning the second person to browse facebook would be logged in as the
Hey,
> AP Report says it was a 'routing problem'? any idea what they are
> talking about, do THEY know what they are talking about?
> Did AT&T mix up the destination ip addresses? did facebook NOT CHECK IP
> ADDRESS AND COOKIES and disable the session when the ip changed?
As far as I can tell no technical details have been released to explain
this issue either by Facebook or AT&T. So I am going to speculate on
various ways this might have happened:
http://www.pcmag.com/article2/0,2817,2327272,00.asp
Juha-Matti
"John C. A. Bambenek, GCIH, CISSP" [bambenek.infosec@gmail.com] kirjoitti:
> What's the infection vector? URL Link? Rouge Facebook app?
>
> On Wed, Aug 6, 2008 at 4:44 PM, Gadi Evron <ge@linuxbox.org> wrote:
>
> > Hi all.
> >
> It would probably be an interesting exercise to go through some more
> dashboard widgets and grep for eval. I'd bet quite a bit that
> there's much more out there.
- The (top-50) facebook widget [2] uses the AllowFullAccess
configuration option, which effectively means what it says.
This widget also uses JSON to access numerous facebook functions,
and eval() to parse the results. Most of facebook's API is
accessed through plain HTTP, of course, so the discussion in [0]
Hi all.
There's a facebook (possibly worm) something malicious sending fake
messages from real users (friends).
The sample also has a remote drop site (verified by someone who shall
remain nameless).
This is possibly zlob, not verified. Thanks Nick Bilogorskiy for his help.
On Wed, 6 Aug 2008, Gadi Evron wrote:
> Hi all.
>
> There's a facebook (possibly worm) something malicious sending fake
> messages from real users (friends).
>
> The sample also has a remote drop site (verified by someone who shall
> remain nameless).
>
On Wed, 6 Aug 2008, Gadi Evron wrote:
> Hi all.
>
> There's a facebook (possibly worm) something malicious sending fake
> messages from real users (friends).
>
> The sample also has a remote drop site (verified by someone who shall
> remain nameless).
>
have been stolen by a hacker from two separate databases, one including the
prospective students' data and another filled with requests for information
about the school.
WHID 2007-65: Facebook suing a porn site over automated access
==============================================================
Reported: 19 December 2007, Occurred: 28 June 2007
Classifications:
Tested on
iPhone firmware version 3.1.2
Facebook App version 3.1.2
Impact
It is possible to usurp valid session IDs in order to gain unauthorised access to facebook profiles. At greatest risk are those handset that have been jailbroken.
Description
Using known vulnerabilities and exploits to gain remote or direct access to the handset's file system, it is possible to steal the files:
"Exposing Interesting, 'Hidden' & Dark Social Network Relationships
with Maltego " by @l0sthighway & @TheSuggmeister
This talk highlights how you can extend the powerful data visualisation
tool, Maltego, to data mine virtually anything with an API or that you
can 'screen scrape'. We will focus specifically on Facebook and Twitter,
demonstrating how you can access users data and map social relationships
using both Facebook API and Twitter API's and the Facebook Query
Language (FQL).
***
5.2.- Constraint
For a successfully exploitation, the "Clipboard" channel must not be
selected
in order to allow the copy from the original file to the attack vector
of your
preference. (Gmail chat, facebook chat, etc.).
5.3.- Configuration of the environment to be tested
5.4.- Test to validate if the DLP works properly
AP Report says it was a 'routing problem'? any idea what they are
talking about, do THEY know what they are talking about?
Did AT&T mix up the destination ip addresses? did facebook NOT CHECK IP
ADDRESS AND COOKIES and disable the session when the ip changed?
<http://www.foxnews.com/scitech/2010/01/16/network-flaw-causes-scary-web-error/>
SAN FRANCISCO – A Georgia mother and her two daughters logged onto
Facebook from mobile phones last weekend and wound up in a startling
place: strangers' accounts with full access to troves of private
There is a fairly in depth discussion of the issue here:
http://arstechnica.com/web/news/2010/01/facebook-att-play-fast-and-loose-with-user-authentication.ars
Not a routing issue, more of a proxy issue, and not uncommon in mobile carrier networks. Getting security right in a mobile application is tricky given how carriers manage Internet access. With the growth of smartphones these kinds of issues will become more prevalent until carriers refactor how they manage traffic via their proxy's. I'll also note that while the referenced article suggests the use of SSL, there are issues with support in the mobile environment for SSL in terms of which certificate authorities are pre-installed on phones, whether applications have access to the certificate store on the mobile device (or need an embedded certificate), how certificate chaining and wildcarding is supported, and so on.
*********** REPLY SEPARATOR ***********
On 1/16/2010 at 7:39 AM Michael Scheidell wrote:
have been stolen by a hacker from two separate databases, one including the
prospective students' data and another filled with requests for information
about the school.
WHID 2007-65: Facebook suing a porn site over automated access
==============================================================
Reported: 19 December 2007, Occurred: 28 June 2007
Classifications:
> have been stolen by a hacker from two separate databases, one including the
> prospective students' data and another filled with requests for information
> about the school.
>
>
> WHID 2007-65: Facebook suing a porn site over automated access
> ==============================================================
> Reported: 19 December 2007, Occurred: 28 June 2007
>
> Classifications:
>
I've been trying to contact Facebook to report a security vulnerability. The
Facebook site does not seem to have any information about how to report
vulnerabilities or contact their security team. I tried emailing
security@facebook.com and privacy@facebook.com but got no response.
Does anybody have a security contact for Facebook, or should I just
post the bug here?
Alex
have been stolen by a hacker from two separate databases, one including the
prospective students' data and another filled with requests for information
about the school.
WHID 2007-65: Facebook suing a porn site over automated access
==============================================================
Reported: 19 December 2007, Occurred: 28 June 2007
Classifications:
To help major browsers or application developers stop the proliferation of
this exploit, Checkmarx has published a guide to identify and remediate the
vulnerability. It can be downloaded at
http://www.checkmarx.com/CxDownloadRequest.aspx?id=8
A POC for IE and Facebook users can be seen here:
http://www.checkmarx.com/Demo/XSHM.aspx In this page, an attacker can easily
detect whether a user is currently authenticated to the Facebook
application. Interested parties will be able to detect XSHM in samples of
their application by using a free download version of the product.
Website http://www.ekoparty.org
Blog http://blog.ekoparty.org
Mailing-list http://groups.google.com/group/ekoparty
Twitter https://twitter.com/ekoparty
Facebook http://www.facebook.com/pages/ekoparty-security-conference/16162244291
LinkedIn http://www.linkedin.com/e/gis/42839/3C56B47CC210
Best regards,
ekoparty security conference staff
likely to fail. I see this as a relatively easy fix to open up a new
option in web app development.
> As more and more app development moves to hardware platforms
> (iAppleStuffs) and social media aka Ad-metadata networks (Facebook,
> Google *.google.com apps, webmail, etc.) cookies are an easy and
> transparent way to fly, that work now, all the time, and have clear
> business drivers behind them for auth tracking (and working now, all
> the time).
>
code used to handle URL. By visiting a maliciously crafted website, we
found that it might lead to an unexpected application termination or
arbitrary code execution. This issue has been addressed by Apple through
improved memory handling. CFNetwork is shared by most applications from
the App Store, that need to talk over the web. Check the User-Agent of
your applications to be sure (example: Facebook/3.12 *CFNetwork/459*
Darwin/10.0.0d3 ). Update to iOS4 to improve your security.
More information here:
CVE-2010-1752 in http://support.apple.com/kb/HT4225
o Security-Advisory: TEHTRI-SA-2010-028 - 0day on BlackBerry
publicly available, obtaining it in this manner effectively lifts the
veil of anonymity from the user when interacting with the 3rd party
site.
Three social networks were tested and all were found to contain the
vulnerability. These are Facebook, Orkut and Bebo. Some of the
vulnerabilities were design flaws. The vulnerabilities are described
and demonstrated. The sites were contacted in advance yet some of the
vulnerabilities are still open.
CSID is not bound only to social network sites but might be found on
I. ABOUT THE APPLICATION
iScripts SocialWare is an award-winning, easy to use
social networking software that enables you to create
your own social network like MySpace, Orkut, Friendster,
Linkedin, Facebook, Hi5, etc.
II. DESCRIPTION
This CMS is affected by multiple remote security flaws,
The 7th ISOI (Internet Security Operations and Intelligence) will take
place on September 17th and 18th in San Diego, California.
ISOI 7 is kindly hosted by Websense and ESET. The evening reception is
graciously hosted by Facebook.
An early draft agenda can be found here: http://isotf.org/isoi7.html
While attendance is very limited as explained below, it is free of charge.
deniability.
The potential for mass exploitation is undeniable. We are urging Microsoft,
AOL and other administrators of popular chat networks to ban smileys
(especially animated ones) until all the consequences of this attack have
been understood. Twitter and Facebook are likely vulnerable too, although we
didn't conduct specific research yet on those networks.
The attached proof of concept program will compile the sample included
shellcode, encode it into a valid MSN smiley and compile a test C program by
using metasm. While the example shellcode and the compiled test program are
.: [ LINKS ]
- Web site
http://www.rootedcon.es/
- Facebook group
http://www.facebook.com/group.php?gid=96410924798
- LinkedIn group
http://www.linkedin.com/groups?gid=1969438
- Announce mailing-list
https://listas.rootedcon.es/mailman/listinfo/rooted-announce
iPhone SMS Fuzzing and Exploitation - Charlie Miller, Independent Security Evaluators
The Microsoft View of the 2008 Threat Landscape - Tony Lee, Microsoft
Cloud Defense in the Post-BotWar Era - Ikuo Takahashi
The Android Security Story: Challenges and Solutions for Secure Open Systems - Rich Cannings & Alex Stamos, Google, iSec Partners
Stealthy Rootkit : How malware fools live memory forensics - Tsukasa Ooi, Livegrid
Defending a Social Network - Alex Rice, Facebook
Museum of API Obfuscation on Win32 - Masaki Suenaga, Symantec
!exploitable and Effective Fuzzing Strategies as a Regular Part of Test - Jason Shirk, Microsoft
Analyzing Word and Excel Document Encryption - Eric Filiol, ESIEA - Operational cryptology and Virology Lab
English Dojo: Auditing Java Security, Marc Schoenefeld
Japanese Dojo: Assembler Programming and Reverse Engineering Malware, Yuji Ukai, fourteenforty
The incidents reported on WHID (the web hacking incidents database) last
week where:
* WHID 2009-11: Lil Kim Facebook Hacked
(http://whid.xiom.com/WHID/2009/11/Lil_Kim_Facebook_Hacked):
Together with the Soulja Boy Incident last year
(http://whid.xiom.com/WHID/2008/56/Soulja_Boy_Myspace_Hacked) and the
Twitter hack earlier this month (http://whid.xiom.com/whid-2009-2) shows
that inherent insecurity of Web 2.0 due to mismanagement by the (often
|
