14 DAY TRIAL // A Web security researcher has disclosed cross-site scripting weaknesses in the two most popular Facebook applications. He claims to have found similar flaws affecting other apps as well, including an SQL injection vulnerability in a Facebook-verified one.
The self-confessed white hat hacker goes by the online handle of "theharmonyguy" and focuses on social networking application security research. According to his own account, during the month of September, he will be disclosing vulnerabilities in top Facebook applications, following the model of Aviv Raff's "Month of Twitter Bugs" initiative.
During August, reputed security researcher Aviv Raff disclosed vulnerabilities in various Twitter applications in order to raise awareness regarding a new type of vulnerability, which he documented back in May. Dubbed "Cross-Web2.0 Scripting" by Raff, the new attack technique involves compromising a website's security by exploiting a vulnerability in a third-party application, that is authorized to use its API.
Theharmonyguy's first victims for his "Month of Facebook Bugs" were "FarmVille" and "Causes." These two extremely popular applications are currently ranked as number 1 and 2 on Facebook's application leaderboard. FarmVille has a staggering number of 33,439,207 monthly active users, while Causes has 26,271,410.
Both applications contained cross-site scripting vulnerabilities that could have been exploited to perform a wide range of attacks, from exposing personal information from a user's profile to launching a social networking worm that propagates through clickjacking.
The hacker explains that he notifies application developers about the vulnerabilities he finds 24 hours prior to publishing details about them. So far, the owners of FarmVille and Causes have been quick to react and address the issues, but theharmonyguy promises more will follow and it is unlikely that all developers will show the same level of responsiveness to his reports.
The researcher claims that a soon-to-be-disclosed vulnerability is an SQL injection one, found in a Facebook verified application. Such applications belong to developers who actually paid Facebook to review and promote them. They are subject to multiple evaluation criteria to make sure that they comply with the website's policies and guidelines.
Initiatives like these are welcomed, as they educate users about the risks of trusting content originating from third-parties just because it is displayed on a website that has a good reputation. "If you are the owner of a service which provides an API, fixing your own website or application vulnerabilities might not be enough," Raff warned back in May.