14 DAY TRIAL // Researchers from a French security consultancy company called Wargan Solutions have discovered three cross-site request forgery (CSRF) and two cross-site scripting (XSS) vulnerabilities on Facebook and used them to built two proof-of-concept information stealing worms.
CSRF vulnerabilities can be exploited by forcing the a user's browsers to silently perform an unauthorized action on a site they are authenticated on.
In order to protect against such attacks, websites implement unique tokens (nonces) that need to be submitted along with a request for it to be validated.
Facebook uses not one, but two such tokens, called "post_form_id" and "fb_dtsg" to secure almost all actions, such as wall posts, comments, messages, modifying security settings and so on.
The site allows users to see how their own profile would appear to other people, as long as they have their IDs (an unique number).
This feature can be accessed by going to http://www.facebook.com/profile.php?v=wall&viewas=<viewer_id> and as it turns out, the source code of this page would reveal the selected viewer's "post_form_id" token.
To sum it up, an attacker can learn the "post_form_id" of virtually anyone as long as they know their ID.
Therefore, they need a way to grab those and the second CSRF flaw located on the m.facebook.com website can help with that.
It turns out that the "Like" script from this version of Facebook, is not protected with an anti-CSRF token.
This means that logged in users can be forced to like an attacker's post without their knowledge, therefore revealing their name and ID.
But, to perform most actions the "fb_dtsg" token is also required, except for friend requests sent from the touch.facebook.com site.
And this third CSRF shortcoming can also be used to force users to unknowingly befriend the attacker, thus opening up the door to further abuse.
Finally, two separate XSS vulnerabilities have been identified on m.facebook.com and touch.facebook.com respectively.
"The impact for these flaws is huge. We have created two different worms in order to demonstrate the potential of these vulnerabilities," the Wargan Solutions researchers write.
"These worms both spread via a Facebook application that silently loads an external malicious script," the team explains.
The first worm steals a victim's personal information from their profile then posts a rogue message on their wall so it can spread to other people.
Meanwhile, the second one can hijack accounts, change the associated email, reset their password and delete everything inside.
All vulnerabilities have been reported to Facebook and have since been fixed, but the demonstration can serve as a reminder of how destructive CSRF attacks can be. John Jean (@johnjean) of Wargan Solutions is credited with their discovery.
Watch the videos explaining the two attacks below: