Many Facebook apps lack simple security checks

One important question surrounding consumer use of third party social applications has always been security: how do social networks like Facebook keep security quality high amongst tens of thousands of applications (especially when many of them are written by inexperienced or non-commercial programmers)? Facebook is known for taking privacy and security extremely seriously, yet the Platform is highly valued by developers because of the detailed access to user profiles and friend lists it allows.

“Social hacker” theharmonyguy, who has identified security lapses in some of the most widely used Facebook and OpenSocial applications, is one developer taking the “white hat” approach (helping app developers fix things before going public). In a recent post, he describes how simple tactics like placing FBML in query strings could lead to injection attacks – in other words, an easy way for malicious parties to place potentially harmful code inside Facebook applications.

Many applications, including popular ones, will render messages on a page by adding a query string.  The problem is that the canvas page then takes the query string parameter and inserts it without any filtering.  That allows a hacker to insert FBML into the parameter, which will then be rendered by the application – I’ve inserted iframe’s into several apps.  I’m not exactly sure how much of a security issue this is, since something like an iframe can’t easily spoof application authentication parameters, but it certainly seems like a problem waiting to happen.  Furthermore, in one OpenSocial application, I used this same technique to insert HTML/JavaScript into pages.  Take note: any input parameters that are rendered in a page should be escaped first to avoid injection attacks.

Many Facebook apps, just like many websites, are susceptible to simple tactics like this. But inside Facebook, security lapses in applications could lead to a lack of trust in Facebook itself. However, while holes in kissing or friend comparing apps may just to embarrassment, security holes in financial services applications could lead to more significant consequences – like identity theft.

“Social network environments dramatically increase the social engineering risk,” said Scott Mitic, Founder and CEO of identity theft prevention company TrustedID. “However, this is not unique to Facebook. In fact, I’m not aware of any identity theft issues from the way Facebook handles personal information right now. However, things do get more risky when dealing with gateways to the financial world.”

According to Mitic, peer to peer lending applications within Facebook and other social networks are the apps most likely to be targets for potential hackers. Preventing back door access to private accounts under the guise of a trusted platform, service, or friend will be an increasingly important security problem in the coming months and years. As previously reported, Facebook is launching an in-house payment platform so that developers don’t have to solve these problems themselves.

Facebook’s Terms of Service say that, “ALL USE OF THE FACEBOOK PLATFORM IS PROVIDED ‘AS IS’ AND AT YOUR OWN RISK.” Hopefully, technologists like theharmonyguy will help developers keep their apps secure; a major application security breach would be bad for everyone involved.

Creative Social Branding

Mediabistro Course

Creative Social Branding

Starting November 24, learn how to create a social buzz for your brand! You’ll learn how to engage with audiences on social platforms, identify and engage with current trends and influencers, and build an excellent social strategy to amplify your numbers and rate engagement. Register now!

 

Leave a Reply

6 Responses to “Many Facebook apps lack simple security checks”

  1. Social Hacking » Blog Archive » SuperPoke Injection Vulnerability says:

    [...] morning I randomly came across an old article on Inside Facebook that quoted yours truly on application security.  In the quote, I described injecting FBML into [...]

  2. Social Hacking » Blog Archive » Facebook Platform Privacy Issues says:

    [...] build applications secure enough for handling personal information. Unfortunately, many developers overlook basic security measures. Once again, this issue can be thorny, but solving it starts with educating developers. Also, [...]

  3. Social Media Security » Facebook Platform Privacy Issues says:

    [...] build applications secure enough for handling personal information. Unfortunately, many developers overlook basic security measures. Once again, this issue can be thorny, but solving it starts with educating developers. Also, [...]

  4. Social Media Security » SuperPoke XSS Vulnerability says:

    [...] morning I randomly came across an old article on Inside Facebook that quoted yours truly on application security.  In the quote, I described injecting FBML into [...]

  5. guinevere says:

    Facebook IS lack of your security!
    The use of spyware they place in your profile, is from facebook!
    The apps ARE spyware!
    Facebook, gives you people as friends, when you didn’t ask for them, and they don’t confirm with you, and yes privacy settings are all in strict order, and don’t respond to your pleas!
    Privacy and security by facebook to their members-is an absolute joke!

  6. TMP – TrustedID Identity Theft Blog: Identity Theft Protection » Blog Archive » Is Facebook Secure? says:

    [...] (many of which are written by inexperienced or non-commercial programmers). According to InsideFacebook.com, Facebook takes privacy and security very seriously, yet the Platform is highly valued by [...]

Get the latest news in your inbox
interested in advertising with inside facebook?

Social Media Jobs
of the Day

SK Energy Seeking Social Media Guru

SK Energy Shots
New York, NY

Social Media Producer

Los Angeles Times
los angeles, CA

Social Media Specialist

Catholic Review
Baltimore, MD

Direct Marketing Strategist

Southern Poverty Law Center
Montgomery, AL

Freelance Assistant - Social Media Team

Viacom Velocity
New York, NY

Featured Company

Join leading companies like this one and recruit from the nation's top media job seekers on the Mediabistro Job Board. Every job post comes with our satisfaction guarantee. Learn More
 

Our Sponsors

Mediabistro A division of Prometheus Global Media home | site map | advertising/sponsorships | careers | contact us | help courses | browse jobs | freelancers | content | member benefits | reprints & permissions terms of use | privacy policy Copyright © 2014 Mediabistro Inc. call (212) 389-2000 or email us