October 24, 2014

In Brief: Facebook fixes serious password reset vulnerability

facebook-logo-300x300(LiveHacking.Com) –  Facebook has fixed a serious vulnerability in its password reset mechanism after Sow Ching Shiong, an independent vulnerability researcher, discovered the flaw which allows hackers to change the passwords of accounts they had compromised without knowing the user’s current password.

Normally, an authenticated Facebook user needs to enter their current password when using the change password page. This prevents an unauthorized person from changing the password without the user’s knowledge. However Ching Shiong  that it was possible to change a user’s password without knowing the old one by first accessing the URL “https://www.facebook.com/hacked”. This page then automatically redirected to the compromised account recovery page where the previous password was not needed.

Facebook has now addressed this issue and users are prompted to enter their old passwords before setting a new one. Sow Ching Shiong has been added to Facebook’s list of white hats. 

“This vulnerability has been confirmed and patched by Facebook Security Team. I would like to thank them for their quick response to my report,” wrote Sow Ching Shiong on his blog.

Facebook fixes a couple of potentially dangerous security flaws

facebook-logo-300x300(LiveHacking.Com) –  Over the last few days Facebook has fixed a couple of potentially dangerous security flaws: a web cam vulnerability and a bug in Facebook Stories.

The social networking giant patched a security flaw that allowed hackers to switch on a remote webcams, without the victim’s knowledge, and post recorded videos to their profiles.

The vulnerability was reported to Facebook in July by Aditya Gupta and Subho Halder, the founders of a security company XY Security. Under Facebook’s security vulnerability bounty scheme the pair where paid $2,500 for the information, five times the usual price.

The flaw was found in the webcam video upload feature. It appears that Facebook didn’t have proper security checks built into the feature. By exploiting the vulnerability, an attacker could trick a user into silently recording from their webcam and publish the result without the user’s knowledge.

“This vulnerability, like many others we provide a bounty for, was only theoretical, and we have seen no evidence that it has been exploited in the wild,” Wolens wrote in an e-mail to Bloomberg. “Essentially, several things would need to go wrong — a user would need to be tricked into visiting a malicious page and clicking to activate their camera, and then after some time period, tricked into clicking again to stop/publish the video.”

The second fix was to Facebook’s Stories website. The site has a feature called “New Year’s Midnight Delivery” which allows users to write messages to friends that will be automatically sent after midnight. According to Aberystwyth University student Jack Jenkins it was possible to change the message ID in the confirmation URL, displayed after sending a message, to read and delete other users’ messages.

Facebook took the “Midnight Delivery” feature offline temporarily to patch the vulnerability and according to an update to Jenkins’ blog the bug has now been fixed.

Facebook Scams with Chrome and FireFox Plugins

Picture Source: Websense security labs

(LiveHacking.Com) – Security researchers at Websense® have discovered new Facebook scams.

According to the report published by Websense®, the attacker is utilizing social engineering tricks such as engaging video or offers of a free voucher to attract the victims to its scam pages. Then, the victims will be asked to install a browser plugin. When the plugin is installed, it utilizes a malicious script and the Facebook API to post the scam to the victim’s friends’ pages.

According to the Websense® researchers, at the moment, only Chrome and Firefox plugins are being used.

More information is available at Websense® Security Blog.

Facebook Bug Exploited to Post Zuckerberg Pictures on Internet

(LiveHacking.Com) – A bug in Facebook which allowed any Facebook user to access another user’s most recently uploaded photos, bypassing all privacy settings, has been exploited to post pictures from Mark Zuckerberg, Facebook’s founder, private collection.

14 pictures in total of Mr Zuckerberg were posted to image site Imgur with the headline: “It’s time to fix those security flaws Facebook”.

“The bug allowed anyone to view a limited number of another user’s most recently uploaded photos irrespective of the privacy settings for these photos,” said Facebook in a statement. “This was the result of one of our recent code pushes and was live for a limited period of time. Upon discovering the bug, we immediately disabled the system, and will only return functionality once we can confirm the bug has been fixed.”

The bug was found in Facebook’s system used to report inappropriate public profile picture. Once a report was made, Facebook automatically offered more pictures from the person’s profile and asked the reporting user to flag any other unacceptable pictures. However it turns out that the thumbnails shown were easy to enlarge and download.

This latest privacy failure comes just days after the FTC and Facebook announced a settlement over complaints that Facebook deceived its users with regards to privacy. At the time of the settlement Zuckerberg wrote that it is normal to be skeptical about Facebook’s role in how hundreds of millions of people share their personal information online. “Even if our record on privacy were perfect, I think many people would still rightfully question how their information was protected,” he said.

Facebook Fixes .EXE Upload Vulnerability

(LiveHacking.Com) – An executable file upload flaw found on Facebook, which allowed an attacker to upload and send an executable file to another Facebook user via the Facebook ‘Messages’ tab, has been fixed.

Nathan Power, a security penetration tester from Ohio, originallyposted details of the flaw a few days ago and initially Facebook seemed to play down the dangers of the flaw.

Facebook’s Security Manager Ryan McGeehan went on the record saying that “This finding will only allow one user to send an obfuscated renamed file to another Facebook user. The proof of concept, as is, would not execute on a recipients machine without an additional layer of social engineering.” He also underlined the contrived nature of the flaw saying “At the end of the day, it is more practical for a bad guy to hide an .exe on a convincing landing page behind a URL shortener, which is something we’ve been dealing with for a while.

It seemed from Ryan’s response that Facebook didn’t see this as a high priorirty and it might only get fixed at some time in the future. However yesterday Nathan updated his blog to report that the flaw has been fixed:

11/01/2011 Vulnerability Fixed

This means that Facebook did take the flaw seriously. Several things can be understood from this:

  1. The flaw wasn’t that hard to fix.
  2. Facebook do actually take security seriously (if not privacy).
  3. There are probably other flaws which Facebook’s internal audits find and are fixed quietly without any notifications.
  4. Facebook doesn’t issue security advisories.

Does Facebook Have a .EXE Upload Vulnerability?

(LiveHacking.Com) – Nathan Power, a security penetration tester from Ohio, has posted details of a flaw in Facebook which allows an attacker to upload and send a executable file to another Facebook user via the Facebook ‘Messages’ tab.

Normally Facebook doesn’t allow users to upload and send executables in an attempt to limit the spread of malware via its service.

Nathan analysed the way the messaging service works and discovered that Facebook rely on a parameter (called filename) included in the POST message to detect executable files. To subvert the security mechanisms to allow an .exe file type, Nathan modified the POST request by appending a space to the filename variable like so: filename=”cmd.exe ”

The result was that the file was uploaded and sent to the other Facebook user. Of course further work is needed by the attacker to convince the user to run the executable. If the user is unaware that running unknown executables on their computer is dangerous then there are other simpler methods (like plain old simple email) which could be used rather than tweaking Facebook.

ZDNET have a response from Facebook’s Security Manager Ryan McGeehan:

This finding will only allow one user to send an obfuscated renamed file to another Facebook user. The proof of concept, as is, would not execute on a recipients machine without an additional layer of social engineering.Beyond that, we are not going to rely solely on string matching as a protective measure, since zip files and other things could also have unpredictable behaviors when sent as an attachment.

We are AV scanning everything that comes through as a secondary measure, so we have defense in depth for this sort of vector. This puts us at a similar level of protection as most webmail providers who deal with the similar risk, and this finding is a very small part of how we protect against this threat overall.At the end of the day, it is more practical for a bad guy to hide an .exe on a convincing landing page behind a URL shortener, which is something we’ve been dealing with for a while.

Facebook Adds Malware Detection In Partnership With Websense

(LiveHacking.Com) – Facebook has partnered with Websense (a  web security company) to protect its users from links that lead to malware and malicious sites. Now  when a Facebook user clicks on a link it will be automatically checked against Websense’s database. If Websense think the link is malicious then the user will be warned and offered the choice to return to Facebook, find out more or continue (at their own risk).

“Facebook cares deeply about protecting users from potentially malicious content on the internet,” said Dan Rubinstein, Facebook product manager for Site Integrity. “We are excited about our partnership with Websense to provide industry leading tools to help our users protect themselves.”

The use of Websense’s  ThreatSeeker Cloud technology builds on Facebook’s existing database of dubious links, with the idea being the bigger the blacklist the safer the users.

“Websense has been analyzing and classifying the internet for more than 15 years, and now all Facebook users will be protected by the same core technology that is used in the market-leading Websense TRITON™ enterprise security solutions,” said Dan Hubbard, Websense Chief Technology Officer. “Every day, Websense Security Labs™ works to discover, investigate, and report on advanced internet threats that are designed to circumvent antivirus products. By providing real-time protection from malware, spyware, inappropriate content, data leaks, and spam, we make it safe for people and businesses to use the web.”

Facebook Change Privacy Controls – Again

(LiveHacking.Com) – Facebook, the popular social media network, has redesigned its privacy controls allowing users to manage the sharing setting for each and every item posted online. Facebook has often been criticized over its security and privacy policies especially since it has more than 750 million active users who are posting, often personal, details to the site.

According to the blog post one of the most common privacy complaints was that users were unsure who could see their postings and that these settings could be clearer across the whole Facebook site.

To make the system more straightforward, Facebook are moving most of the privacy controls from the settings page to right next to the posts, photos and tags they affect.

Other changes include:

  • In line controls – each item on a user’s wall has individual privacy options, such as public, friends and custom
  • Tag takedown – the ability to remove tags of self, ask the person who tagged you to remove it, or block the tagger
  • Universal tagging - users can tag anyone, not just Facebook friends. Other person can choose not to accept the tagged post on their profile
  • Location tagging - geographic locations can be added in all versions of Facebook, not just mobile app
  • Profile view - the option to see how others view your profile is added above the news feed

The new privacy options will begin to be rolled out across the site from Thursday 25 August.

Facebook Launches its Official Security Guide

(LiveHacking.Com) – Facebook has published its official security guide: Own Your Space. The new twenty page PDF document is a guide to Facebook security for young adults, parents, and educators and covers:

  • How to protect your Facebook account
  • Avoiding the scammers
  • Using the advanced security settings
  • Recovering a hacked Facebook account
  • How to stop imposters
Facebook is a notorious place for security problems (see here and here) and, in the past, has failed spectacularly to understand the privacy issues of its users. This PDF is a long overdue attempt to help the social media giant’s nearly 500 million users understand, recognize and avoid the multitude of scams posted to Facebook everyday.

Microsoft Finds Vulnerabilities in Picasa and Facebook

(LiveHacking.Com) — Microsoft’s Vulnerability Research team has posted details of two vulnerabilities, one in Google’s Picasa photo editing and sharing application that could potentially allow remote code execution, and one on Facebook.com that could lead to account compromise.

The problem in Picasa, which affects Picasa for Windows version 3.6 build 105.61 and earlier, exists in the way that Picasa handles certain specially crafted JPEG images. An attacker could exploit this vulnerability to cause Picasa to exit unexpectedly and execute arbitrary code. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Microsoft Vulnerability Research reported this issue to Google in private and as there is now a fix available it can disclose the details of the problem.

With Facebook, a vulnerability exists in the way that Facebook.com had previously implemented protection against clickjacking attacks. An attacker could exploit this vulnerability to circumvent Facebook privacy settings and expose potentially sensitive user information. An attacker who successfully exploited this vulnerability could take complete control of a user’s Facebook.com account and could perform any action on behalf of the user, such as read potentially sensitive data, change data, and delete contacts.

As with Google, Microsoft Vulnerability Research reported this issue to Facebook in private and it has now been fixed.