Facebook: Rogue applications and a new CSRF attack

by Steve Ragan - Aug 20 2009, 17:30

Trend Micro researcher Rik Ferguson has been busy this week. He has identified not one, but six rogue applications moving around on Facebook, each one malicious. If that wasn’t bad enough, researcher Ronen Zilberman has posted details of a CSRF attack on Facebook that can snatch personal details from targeted accounts.

Starting with Ferguson’s research, the Trend Micro Researcher has come across six different rogue Facebook applications, one of them, “sex sex sex and more sex!!!,” starts with a notification that someone has commented on a user’s post. Once clicked, the notification and the comments lead to a Facebook credential harvesting site (fucabook-dot-com). What is interesting, Ferguson noted, is that this single application had over 287,000 fans.

There are others as well, rogue applications with the name “Posts”, or “Stream”, as well as “Your Photos” all link to malicious sites, and each one is harvesting personal information and credentials. There are also applications with the name, “Birthday Invitations”, “Inbox(2)”, and “Inbox(1)”, which behave just like the others. If you see them, ignore them. If you are using them, remove them.

“…always check the URL displayed in your browser’s address bar before entering any sensitive information. Also check the true destination of a link before clicking it, by hovering your mouse pointer over it. If it looks suspicious, don’t click it. Also, if you’re a Facebook user, now would be a good time to go and review your privacy settings and clear out any applications you no longer use,” advised Ferguson.

Another Facebook issue, related to the Facebook Application API, was discovered by researcher Ronen Zilberman. Zilberman discovered that the API allows an attacker to construct a malicious Facebook application, which anyone with a Facebook account can do, and use it to collect the full name, profile picture, and friends list for any Facebook user.

The attack needs only to use an IMG tag on a forum or an embedded IFRAME to work. “This is special type of CSRF attack in which the hacker not only causes an action on behalf of the user, he is also at the receiving end, obtaining the stolen information,” Zilberman said.

“The attack in its final form is very powerful and it was surprising even to me. While the specific vulnerability in this case was a glitch in the Automatic Authentication process, the rest of the attack is based on the normal behaviour of web browsers and servers.”

A breakdown of the attack is here. The original notice of the CSRF attack is here, along with a video demonstration. While we will not reproduce Zilberman’s work here, we have embedded the video showing off the attack below.

Around the Web