14 DAY TRIAL // A Web security researcher going by the only handle "theharmonyguy" continued to probe popular Facebook applications for vulnerabilities as part of an initiative called "Month of Facebook Bugs." LiveSocial, Movies, Farm Town and RockYou Live were all found to suffer from cross-site scripting weaknesses.
As we previously reported, theharmonyguy declared the month of September the "Month of Facebook Bugs," promising to disclose a vulnerability in a Facebook Application every day. This initiative was based on a similar effort undertaken by security researcher Aviv Raff during August with Twitter clients.
Both white hacking campaigns aim to raise awareness about a new type of attack dubbed "cross-Web2.0 scripting," which involves compromising a website by exploiting a vulnerability in a third-party application that uses its API.
After starting with weaknesses in "FarmVille" and "Causes," number 1 and 2 on the Facebook Application Leaderboard, theharmonyguy disclosed similar vulnerabilities in LiveSocial, Movies, Farm Town and RockYou Live. LiveSocial is number 3 on the leaderboard, with 23,688,212 users, Movies from Flixster is number 5, with 19,392,931, Farm Town is on the 7th place, with 18,638,429, while RockYou Live's 9,767,698 users place it on the 17th position.
This campaign also reflects how the different developers respond to security issues. The LivingSocial authors proved to be the fastest, fixing their issue in under 30 minutes, while Slashkey, the Farm Town devs, were the most thorough, by reviewing their entire codebase and encoding all URI parameters to prevent future vulnerabilities.
Flixster took a rather long time to patch its Movies application and also exceeded the 24-hour courtesy extended to everyone by the researcher. RockYou! was the most unresponsive, failing to communicate with the researcher directly. Instead, it appears to have been reached by a Facebook security contact and has silently patched the vulnerability.
The security researcher has also responded to some of the questions that had turned up since he launched the initiative. He explains that all of these attacks allow hijacking a user's session credentials, which can then be used to perform all sorts of tasks on their behalf, including accessing private information and pictures in their profile and their friends' profiles. Posting notifications containing links on their wall is also possible and can be used to launch a self-replicating, social-networking worm.
Theharmonyguy also points out that, even if the vulnerabilities found by him are patched, it doesn't mean that those applications do not have others that were not yet discovered. "As long as the Platform remains in its current configuration, application-based attacks (FAXX = Facebook Application XSS/XSRF) will continue to be possible," he writes.
The researcher has also responded to those who questioned his ability to come up with one vulnerability per day for the entire month. "I started by focusing on the most popular applications, meaning hundreds if not thousands have yet to be tested. Based on my experiences so far, I’m fairly confident that I will find 30 vulnerabilities by the time September finishes," he notes.