Facebook Application Security For the User:
A Brief Introduction

Alex Fernandez-Gatti
Eastern Michigan University
College of Technology
Information Assurance Department
Ypsilanti, Mich

Disclaimer:

This document is intended to be a brief introduction to Facebook application security as it relates to user data and the confidentiality of said data. It does not cover all aspects of Facebook security, or Facebook applications. Please do not take it as such.

This document has been written as part of a research study for Eastern Michigan University. All content is property of the author of the study and must be contacted prior to use in other mediums.

Author Information:
Alex Fernandez-Gatti
(248)232-3377
afernan4@emich.edu

Facebook has become the unequivocal dominating container of information volunteered by users of its service like you and I. Status updates, e-mail addresses, phone numbers, birthdays, pets names, siblings, favorite colors, interests, and significant others are broadcast on ones personal space which is maintained by the individual of which it references. We shout this information to the world and never stop to think what we are telling people about ourselves. Whether it is our friends, an advertiser, an insurance agency, or a potential employer, this information is available to the public if one does not take the proper precautions to protect their information. A majority of us have heard this speech before and have taken the proper precautions of locking down certain albums from Mom and Dad, blocking our ex-boyfriends and ex-girlfriends, and sharing only what we think isn’t personally damaging in the here and now. But there’s something more that most of us haven’t taken a look at before, and that’s what the applications we use can do with our information.

In August of 2009 the ACLU (American Civil Liberties Union) created a Facebook quiz application that asked users a series of questions regarding their knowledge of privacy regarding Facebook applications, over 8,000 participant volunteered to take it. Contained with in the quiz were various bits of information that was pulled from the users account whether it was marked as private or not. The methodology for doing this quite simple, and the developer of the application simply stores the data for use in what ever way they desire. A developer may want to store this information to get a picture of what his audience is so he can charge a higher price to advertisers for the space, or advertisers may collect this data and use it to advertise other products. There is unlimited potential for the gathered information to be used in ways that were originally unintended. The consequences of this information leak are that control over the information is lost.

The results of this research helped fuel a program within Facebook to change the default privacy settings and allow users to control their information more effectively. As it stands though if the user is using any application built on the Facebook application platform that does any data collection, the user is not able to totally opt-out of sharing information through the Facebook Platform. The only method to totally opt-out is to remove all applications from ones profile and then complete the opt-out process. While not perfect, this is a vast improvement from where it was.

Facebook hosts a plethora of information on each of its users, all of it volunteered. Facebook does not ask users to change their privacy settings on a consistent basis however. And while tbe knowledge that privacy settings by default are not very private, is not uncommon knowledge, a good exercise for any Facebook user would be to verify that their account has the level of privacy they desire.

Privacy Settings Location:
1. When logged into your Facebook account, hover your mouse over the word “settings” at the top of the page.
2. Select the word “Privacy”
3. Click on the fourth selection “Applications”
4. Select the “settings” tab above the text displayed on your screen.
5. Verify that the privacy options are as you would like them.

Click here for the 2 question Survey! Please take this, it’s only 2 questions and will help me graduate! Your support is greatly appreciated!

Recently I posted about a malformed url penetration attempt on my webserver. It didn’t work because I had taken steps to prevent attacks like that, such as setting proper permissions on my directories and files, and not using very silly programming practices. How ever it seems that AT&T, the creators of System 5 Unix from Bell Labs, dropped the ball on this little corner of security.

One of their PHP scripts used the QUERY_STRING attribute and was able to do some very fun things because of through some very bad programming. It was able to call any file on the server by simply entering it’s path on the box. Since paths for most things are commonly known, files like /etc/passwd which contains the user names and passwords with some low level encryption, were very vulnerable to access from outside non-authorized users. All one would have to do once they got this file was run John the Ripper against it and start logging into research.att.com systems. Hell the attacker could have access to the employees personal data through access.att.com, and remotely log in through the VPN and gain a lot more access than users outside of the network have.

AT&T Research is the new Bell Labs as Bell Labs was sold off a few years ago to Acatel Research and is now known as Lucent-Acatel Bell Labs. AT&T Research is primarily responsible for research and development of network and system related products to be delivered to market. Recently they’ve put out things like the 4G Multilevel network protocols and design, and Adaptive Defense technology.

The exploit is simple. Once a vulnerable page has been found, such as:

http://www.research.att.com/areas/visualization/papers_videos/subpage.php?page=

All the attacker would have to do is enter the path for the target file, and the file would display in clear text in the browser.

Example:

http://www.research.att.com/areas/visualization/papers_videos/subpage.php?page=../../../../etc/passwd

AT&T’s response to this vulnerability was to simply pull the page down, or at least make it inaccessible to outside users. I’m sure that’s not the only page that had this ability though, as if some coder was able to make that big of a mistake in one place, the coder probably copied and pasted the code to another part of the site as well.

Attribution: Shane Forsythe on the Web Security Mailing list added the reddit link to the mailing list. Reddit is the first place I know of the vulnerability being divulged.

http://www.reddit.com/r/programming/comments/94z5w/att_exposes_etcpasswd_bad_php/

It seems that someone has tried to gain access to my website by trying to use URL injection, which was amateur at best. The IP address routes to a block owned by a school district in Colorado leased by comcast business. The local time for that area when the attempt was made was 3:36pm. Considering the lack of delay between requests it also shows that a tool was used to attempt to gain access.

An image of the log file:
http://chaulis.com/images/penattempt.jpg

Nmap output of the IP:
Not shown: 919 filtered ports, 66 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
106/tcp open pop3pw
311/tcp open asip-webadmin
389/tcp open ldap
625/tcp open apple-xsrvr-admin
749/tcp open kerberos-adm
1723/tcp open pptp
3283/tcp open unknown
3306/tcp open mysql
3659/tcp open unknown
5900/tcp open vnc
No OS matches for host

The IP address hosts a website for the school district though. So either it’s some script kiddy in high school trying to deface my site or it’s a server that insecure that’s being used as a proxy. He didn’t even look for subdomains on the site, and just wend after the horde mail box which doesn’t exist, and the wordpress crap. Sucks to be him!