Many Facebook apps lack simple security checks

One important question surrounding consumer use of third party social applications has always been security: how do social networks like Facebook keep security quality high amongst tens of thousands of applications (especially when many of them are written by inexperienced or non-commercial programmers)? Facebook is known for taking privacy and security extremely seriously, yet the Platform is highly valued by developers because of the detailed access to user profiles and friend lists it allows.

“Social hacker” theharmonyguy, who has identified security lapses in some of the most widely used Facebook and OpenSocial applications, is one developer taking the “white hat” approach (helping app developers fix things before going public). In a recent post, he describes how simple tactics like placing FBML in query strings could lead to injection attacks – in other words, an easy way for malicious parties to place potentially harmful code inside Facebook applications.

Many applications, including popular ones, will render messages on a page by adding a query string.  The problem is that the canvas page then takes the query string parameter and inserts it without any filtering.  That allows a hacker to insert FBML into the parameter, which will then be rendered by the application – I’ve inserted iframe’s into several apps.  I’m not exactly sure how much of a security issue this is, since something like an iframe can’t easily spoof application authentication parameters, but it certainly seems like a problem waiting to happen.  Furthermore, in one OpenSocial application, I used this same technique to insert HTML/JavaScript into pages.  Take note: any input parameters that are rendered in a page should be escaped first to avoid injection attacks.

Many Facebook apps, just like many websites, are susceptible to simple tactics like this. But inside Facebook, security lapses in applications could lead to a lack of trust in Facebook itself. However, while holes in kissing or friend comparing apps may just to embarrassment, security holes in financial services applications could lead to more significant consequences – like identity theft.

“Social network environments dramatically increase the social engineering risk,” said Scott Mitic, Founder and CEO of identity theft prevention company TrustedID. “However, this is not unique to Facebook. In fact, I’m not aware of any identity theft issues from the way Facebook handles personal information right now. However, things do get more risky when dealing with gateways to the financial world.”

According to Mitic, peer to peer lending applications within Facebook and other social networks are the apps most likely to be targets for potential hackers. Preventing back door access to private accounts under the guise of a trusted platform, service, or friend will be an increasingly important security problem in the coming months and years. As previously reported, Facebook is launching an in-house payment platform so that developers don’t have to solve these problems themselves.

Facebook’s Terms of Service say that, “ALL USE OF THE FACEBOOK PLATFORM IS PROVIDED ‘AS IS’ AND AT YOUR OWN RISK.” Hopefully, technologists like theharmonyguy will help developers keep their apps secure; a major application security breach would be bad for everyone involved.

Sponsored Post

Hands-On Social Media Training for Beginners


Social Media 101
In our Social Media 101 boot camp, you’ll determine the social media sites that matter most to you, based on personal and professional goals. Starting May 13, you will learn the best practices for using Facebook, Twitter, LinkedIn, Google+, Pinterest, Instagram and Tumblr, along with complete personal profiles on each site. Register today!

Leave a Reply

6 Responses to “Many Facebook apps lack simple security checks”

  1. Social Hacking » Blog Archive » SuperPoke Injection Vulnerability says:

    [...] morning I randomly came across an old article on Inside Facebook that quoted yours truly on application security.  In the quote, I described injecting FBML into [...]

  2. Social Hacking » Blog Archive » Facebook Platform Privacy Issues says:

    [...] build applications secure enough for handling personal information. Unfortunately, many developers overlook basic security measures. Once again, this issue can be thorny, but solving it starts with educating developers. Also, [...]

  3. Social Media Security » Facebook Platform Privacy Issues says:

    [...] build applications secure enough for handling personal information. Unfortunately, many developers overlook basic security measures. Once again, this issue can be thorny, but solving it starts with educating developers. Also, [...]

  4. Social Media Security » SuperPoke XSS Vulnerability says:

    [...] morning I randomly came across an old article on Inside Facebook that quoted yours truly on application security.  In the quote, I described injecting FBML into [...]

  5. guinevere says:

    Facebook IS lack of your security!
    The use of spyware they place in your profile, is from facebook!
    The apps ARE spyware!
    Facebook, gives you people as friends, when you didn’t ask for them, and they don’t confirm with you, and yes privacy settings are all in strict order, and don’t respond to your pleas!
    Privacy and security by facebook to their members-is an absolute joke!

  6. TMP – TrustedID Identity Theft Blog: Identity Theft Protection » Blog Archive » Is Facebook Secure? says:

    [...] (many of which are written by inexperienced or non-commercial programmers). According to InsideFacebook.com, Facebook takes privacy and security very seriously, yet the Platform is highly valued by [...]

interested in advertising with inside facebook?

Social Media Jobs
of the Day

Digital Marketing Assistant

Atlanta Magazine
Atlanta, GA

Digital Media Sales Specialist

Desert Publications, Inc.
Palm Springs, CA

Engagement Editor, HowAboutWe Media

HowAboutWe
Brooklyn, NY

Digital & Social Media Manager

Beauty & Entertainment Company
Brooklyn, NY

Webmaster

County of Napa, California
Napa, CA

Featured Company

Join leading companies like this one and recruit from the nation's top media job seekers on the Mediabistro Job Board. Every job post comes with our satisfaction guarantee. Learn More
 

Our Sponsors

Also from Inside Network:   AppData - Facebook & iOS Application Stats   PageData - Engagement Data on Facebook Pages   Facebook Marketing Bible   Inside Network Research
 
home | site map | advertising/sponsorships | about | careers | contact us | help courses | browse jobs | freelancers | events | forums | content | member benefits | reprints & permissions terms of use | privacy policy Copyright © 2014 Mediabistro Inc. call (212) 389-2000 or email us