Facebook Bug Exposes Users to Dangerous CSRF Attacks

A security researcher exposed a serious security hole in Facebook, which gave attackers an easy way to force users into unknowingly executing various actions on their accounts. Attacks were reportedly still possible after Facebook announced that the problem was fixed.

The issue, which renders Facebook's CSRF protection useless, was discovered by M. J. Keith, a senior security analyst at cloud-based security solutions provider Alert Logic. According to the company's advisory, the social networking giant was notified about the vulnerability on May 11.

Cross-site request forgery (CSRF) is a type of attack which involves tricking browsers into performing requests to websites on behalf of logged-in users. In theory, this can be done remotely by luring the user onto a page containing specially crafted JavaScript code.

In order to protect users against such authorization abuse, which can have serious consequences, websites commonly implement solutions that require unique tokens to accompany requests for source verification. The Facebook bug discovered by Mr. Keith is embarrassingly a failure to check if Facebook's requests contain the anti-CSRF token.

"Facebook uses a token called 'post_form_id' to prevent CSRF attacks. If an attacker created a page with an automatic post and omitted the 'post_form_id' entirely, the server side scripts would not attempt to validate the request and save the submitted values," Alert Logic explains. In other words, "If the user clicked a specially crafted link while signed into Facebook, the attacker would have been able to modify user privacy settings or alter the user’s profile."

The advisory notes that Facebook issued a patch for the vulnerability on May 14, and PCWorld reports that a Facebook spokesman reconfirmed the fix at the beginning of this week. However, according to the publication, Mr. Keith was able to prove that attacks were still possible as late as yesterday afternoon (Pacific time).

"Hopefully, if it's not already patched, this privacy flaw - which comes at an embarrassing time for Facebook - will be removed soon," writes Graham Cluley, senior technology consultant at Sophos, who has been running a poll on the topic of Facebook quitting on his blog for the past several days. The results published today show that 60% of his readers who, truth be told, tend to have a more technical background are considering closing down their accounts on the social networking website over privacy concerns. Another 16% answered that they already did.