
How To Hack Facebook In 51 Seconds  - jmorin007
http://www.alleyinsider.com/2008/3/facebook_hacking_it_can_take_less_than_1_minute
======
brianr
This isn't really hacking Facebook... they're hacking the Moods app, which is
made by HotOrNot.

~~~
BrandonM
Right, but many applications have access to information in your profile (at
least, that's what it says every time you add an application). Couldn't such
vulnerabilities feasibly lead to more serious problems in Facebook itself?

~~~
brianr
You're right, it might be possible to get an insecure application to give you
API-accessible information about some other user (e.g., the application
contains a page that spits out your entire profile on the screen, and you pass
in your target's userid). That information is guarded by a user-specific
session key, so the app would have to store each user's session key on the
server (or have already cached the response) for it to work. A really insecure
application could probably be coerced into making other API calls as well,
like sending notifications or uploading photos.

I guess in that case Facebook might want to look in to providing some
vulnerability testing tools to developers, or maybe running tests for them to
find vulnerabilities. It's definitely a hard problem.

------
TheTarquin
There've been some interesting articles on this topic in 2600 the past year or
so. There was one (can't find it at the moment, will post a cite if I can dig
it up) about viewing the information in sealed profiles and another about
using an XSS attack to spoof friends request confirmations.

I don't recall much about the articles, but what I do recall are that, in
each, the author noted that by the time he got the article written, the whole
had been fixed.

Facebook is a big system, with a lot of possible holes, but it seems to be run
by folks who care about security and respond well.

------
rshao
This isn't a facebook hack at all. It's a Moods application hack. Really, it's
the application programmer's fault for not checking if the auth_token received
corresponds to the fb_sig_user. James Hong's Pets application used to have the
same problem, where you could sell other people's items to make money for your
own pet. He just needed to validate his inputs...

And so do most amateurs web programmers.

Facebook is pretty secure. Its apps vary.

------
socmoth
the moods app forgot to verify_sig on that request. i'm betting there are a
lot of facebook apps like that.

~~~
mariorz
I don't see why there would be a lot. Client libs usually take care of that. I
don't know what these guys are doing here.

~~~
brianr
The client libs handle everything for you if you use fbml, since every request
is proxied by facebook and has its own signature. If you use an iframe, like
the Moods app and many other popular apps, requests go directly to your
server, so you have to explicity include and validate a signature for each
request.

It's still not terribly difficult, but most facebook app devs are trying to
churn out apps and features so fast that there's no time for this kind of
detail.

------
philippp
Web applications, especially amateurish ones, are insecure. I'm sure there are
bigger sploits in FB itself.

------
earle
Does this really surprise anyone?

When does security as an afterthought ever work?

------
eusman
quality in news is really decreasing

