“Facebook is dangerous”, “Facebook can compromise your personal information” – we all heard such phrases. But… how true are they? Is FB really that bad?
No,yes maybe…
Phishing / DOM-based XSS vulnerabilities
Wikipedia defines the phishing as
the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication [1],
while the Cross-site Scripting (XSS) is defined as
type of computer security vulnerability typically found in web applications which enable malicious attackers to inject client-side script into web pages viewed by other users [2].
I’m going to leave these terms at this point as these are not the focus of this note.
What does it have to do with Facebook
Facebook is designed to integrate third-party applications if these applications pass the filtering for malicious programs and/or functions. An application can be either an isolated iFrame or written in Facebook Markup Language (FBML) and embedded into the page. In both cases, the application appears to end-user as a part of FB page with FB url.
As we know, there have always been a race between good and evil. In the terms of internet/computer security, the good is represented by security measures, while evil is what people tend to call “hackers”. To be more specific, these are black hat hackers. It is in the interest of Facebook, to keep the website secure and ensure privacy of its users is not compromised, but when it comes to the third-party applications, the factor of hackers creativity and competency in by-passing the security filters allowing to embed the malicious application within FB cannot be forgotten. Once the malicious code is added to the web application (XSS vulnerability is exploited) this code can gather information like user cookies or form IDs which are the basic security measures for Facebook. With this data the offender can access user account without any limits. And this is the reason why we should pay extra care to what we click on when we feel like doing another quiz (for example to find out what type of vegetable are we) or play some game to kill the long office hours.
Facebook – another finding
When doing some quick research on Facebook vulnerabilities, I came across a simple test:
- Join any group (click on Settings – go to Networks tab and join any network)
- Once you did it, the information about the network you joined will be displayed including the number of people within the network. Click on this number and you will see full list of all of the members.
- Now you are able to see full profile of all of the members, even if you don’t have them added to your friends list and even if they set their profile to not disclose information to people from outside of their friends list. In other words, anyone from the group you belong to can see your full profile.
- Now make a note of name of any member from your network, who is not on your friends list. Leave the network and try to see this person’s profile. The view is limited now.
So, I would advise to leave FB networks to anyone who wants to keep his/her private profile private.
Update: This issue was resolved in latest facebook security update. Seems like somebody actually does care :)
References:
Can’t wait for more. :)