Facebook fixes another security flaw

Posted by Emma Woollacott

Facebook says it's repaired a security vulnerability discovered by a pair of doctoral students at Indiana University.

The flaw allowed malicious websites to uncover a visitor's real name, access their private data and post bogus content on their behalf.

The vulnerability uncovered by Rui Wang and Zhou Li enabled malicious websites to impersonate legitimate websites in order to obtain their data access permissions. It occurred whenever a user gave facebook permission to share information with popular websites like ESPN.com or YouTube.

Whenever a website makes such a request to Facebook via the user's browser, Facebook passes a secret random string called an authentication token back to the requestor for identification. Whoever holds that authentication token can gain access to the shared data.

The researchers found a flaw in the way the token was transmitted using two Flash objects: one inside Facebook's iframe passes the token to the second, which in this case would be embedded at ESPN.com.

The transfer mode can be selected through "transport='flash'" with the security guarantee being that both flash objects are supposed to come from the same domain - ie, Facebook - before they can talk.

The researchers found, however, that such a same-domain assumption is not always valid because Adobe Flash allows cross-domain communication with an unpredictable domain name that is prefixed with an underscore symbol in the connection name.

This allows an attacker website to steal an authentication token by choosing the transport='flash,' replacing the receiver flash with its own and then initiating a cross-domain communication with the flash inside the Facebook-controlled iframe to get the token and send it to the attacker's flash.

"This vulnerability has several implications," Wang said. "Basically, any user with a valid Facebook session loses anonymity and privacy to any website, even one with embarrassing or sensitive content."

Facebook says the problem has been repaired by simply institurting a check for the underscore symbol.

"Researchers at Indiana University reported a vulnerability in our Platform code to us, and we worked quickly with them to resolve it," says the company. "It was fixed shortly after it was reported. We're not aware of any cases in which it was used maliciously."