Facebook Attack: Personal Info Theft via CSRF

  • 1 Replies
  • 1222 Views
*

Offline Bugbatter

  • Microsoft® MVP
  • Administrator
  • Diamond Member
  • 10605
Facebook Attack: Personal Info Theft via CSRF
« on: August 20, 2009, 02:37:55 PM »

This video is a demonstration of an attack exploiting a vulnerability in Facebook.
http://threatpost.com/blogs/facebook-attack-personal-info-theft-csrf-120

By merely viewing a forum page containing the rouge image, a user's personal information (full name, profile picture, and friends list) can be obtained by a hacker. It is not the image itself that does the trick. Instead, when the browser fetches the image, a chain-reaction starts that delivers these details to the hacker. The chain reaction ends with a valid image, which means that the unknowing user would not have a clue that anything out of the ordinary just happened.
In addition, note that a user's details are also at risk when one of his friends falls victim to this attack.

http://blog.quaji.com/2009/07/facebook-personal-info-leak.html

  If you are using Facebook Applications, you are being taken off the Facebook site. Are those games and fun stuff really worth the risk to you and your friends?

Microsoft MVP Consumer Security 2006-2016
Microsoft Windows Insider MVP 2016-

*

Offline faith_michele

  • Anti - Phishing Staff
  • Gold Member
  • 1947
    • A Beacon of Light
Re: Facebook Attack: Personal Info Theft via CSRF
« Reply #1 on: August 21, 2009, 01:13:28 AM »
This explains how it works. 

Facebook CSRF attack - Full Disclosure

   
Quote
1. User naively surfs to a well-known and trusted forum at forum.com.
   2. The thread he is viewing contains a malicious comment with an IMG tag point at quaji.com
   3. The user's browsers attempts to retrieve the image
   4. but instead is redirected to hxxp://apps.facebook.com/hacker-app/step1.php.
   5. The request is forwarded through the Facebook platform,
   6. to the hackers app server
   7. and is again redirected to hxxp://apps.facebook.com/hacker-app/step2.php.
   8. and back to the browser.
   9. Browser attempts hxxp://apps.facebook.com/hacker-app/step2.php
  10. The Facebook platform passes the request to the hacker's app server adding the user's personal information after being tricked into thinking it should do so.
  11. To finish off, a redirect is issused to a proper image.

http://blog.quaji.com/2009/08/facebook-csrf-attack-full-disclosure.html
Microsoft Consumer Security MVP, July 2007-June 2010

"Fight your fights, find the grace in all the things that you can't change and help somebody, if you can." Van Zant

A Beacon of Light