Security hole in Facebook nets researcher $5000
Posted on: 08/23/2012 05:05 PM
[
Comments
]
A security researcher who goes by the name of AMol NAik has disclosed a security hole in Facebook's web site. The cross-site request forgery (CSRF) flaw allows an attacker to execute actions as a logged-in user by accessing specific URLs. The researcher earned a bounty of $5,000 for responsible disclosure of the vulnerability before publishing it.
After Facebook introduced its App Center functionality, AMol NAik discovered that the anti-CSRF tokens in HTTP requests are apparently not validated on the server side and that an attacker is therefore able to add applications on the platform as another user. To execute this attack, the attacker merely needs the victim to visit a specially crafted web site, after which malicious applications can be planted on the App Center.
Anti-CSRF measures like the ones employed by Facebook are supposed to prevent this kind of attack by generating a token with every valid session that has to be sent by the client with every request. Scripts on other web sites have no access to this token and therefore cannot generate valid requests. In Facebook's case, the App Center pages did not actually check the token for validity, which allowed anyone to send bogus requests and have them accepted. The Facebook Security team fixed the vulnerability within one day of being contacted by AMol NAik.
After Facebook introduced its App Center functionality, AMol NAik discovered that the anti-CSRF tokens in HTTP requests are apparently not validated on the server side and that an attacker is therefore able to add applications on the platform as another user. To execute this attack, the attacker merely needs the victim to visit a specially crafted web site, after which malicious applications can be planted on the App Center.
Anti-CSRF measures like the ones employed by Facebook are supposed to prevent this kind of attack by generating a token with every valid session that has to be sent by the client with every request. Scripts on other web sites have no access to this token and therefore cannot generate valid requests. In Facebook's case, the App Center pages did not actually check the token for validity, which allowed anyone to send bogus requests and have them accepted. The Facebook Security team fixed the vulnerability within one day of being contacted by AMol NAik.
Comments
