Ajaxian

Jobs @ Ajaxian

Find a Job, Post a job.

Topics

.NET (63)
Accessibility (46)
Adobe (72)
Advertising (3)
Ajax (359)
Ajaxian.com Announcements (4)
Android (2)
Announcements (83)
Apple (1)
Aptana (20)
Articles (204)
Atlas (5)
Book Reviews (19)
Books (29)
Browsers (138)
Builds (4)
Business (16)
Calendar (12)
Canvas (56)
Chat (22)
Cloud (3)
ColdFusion (10)
Comet (47)
Component (109)
Conferences (22)
CSS (108)
Database (9)
Debugging (19)
Design (13)
Dojo (185)
DWR (16)
Editorial (265)
Email (5)
Examples (149)
Ext (64)
Firefox (72)
Flash (72)
Framework (55)
Fun (59)
Games (53)
Gears (61)
Google (134)
GWT (68)
HTML (33)
IE (109)
Interview (27)
iPhone (43)
Java (140)
JavaScript (984)
jMaki (7)
jQuery (93)
JSON (43)
Library (469)
LiveEdit (5)
LiveSearch (17)
Mac (1)
Mapping (35)
Microformat (3)
Microsoft (34)
Mobile (42)
MooTools (29)
Office (9)
Offline (28)
OpenAjax (5)
Opera (16)
Performance (83)
Perl (8)
PHP (80)
Plugins (5)
Podcasts (33)
Portal (13)
Pragmatic Ajax (2)
Presentation (56)
Programming (134)
Prototype (208)
Python (10)
Qooxdoo (2)
Rails (36)
Recording (7)
Remoting (19)
RichTextWidget (17)
Roundup (13)
Ruby (61)
Safari (43)
Screencast (35)
Scriptaculous (37)
Security (69)
Server (12)
Showcase (644)
Social Networks (15)
Sound (6)
Standards (34)
Storage (3)
Survey (12)
SVG (12)
Testing (37)
The Ajax Experience (63)
TIBCO (24)
Tip (66)
Toolkit (167)
Tutorial (19)
UI (108)
Unobtrusive JS (20)
Usability (74)
Utility (151)
W3C (5)
Web20 (24)
Widgets (10)
Workshop (7)
XmlHttpRequest (41)
Yahoo! (110)

Facebook JavaScript and Security

Neil Mix was skeptical that FBJS could be secure. He then quickly found a couple of holes but didn't disclose them until he had chatted with the Facefolk.

Neil is publishing the exploits after they are fixed. What a nice white hat he wears:

Facebook Security Hole #1:

The first security hole was the easiest and least interesting hack. It bypasses access control #1 by making use of an old, arcane behavior of the setTimeout method, namely that you can pass a string as the code to execute:

PLAIN TEXT

JAVASCRIPT:

setTimeout("alert('arbitrary JavaScript')", 1);

Facebook (or more specifically Marcel Laverdet) fixed this by checking the datatype of the first argument to setTimeout

Facebook Security Hole #2

Neil got access to running arbitrary code via the Function constructor.

PLAIN TEXT

JAVASCRIPT:

var F = (function(){}).constructor;
var exploit = new F("alert('arbitrary code'));
exploit();

The fix was simple:

PLAIN TEXT

JAVASCRIPT:

Function.prototype.constructor = null;

Neil has four more in the bag, so hopefully we will see then as soon as Facebook fixes them. It is good to see the community working with Facebook on the issues, instead of just throwing up arms.

Posted by Dion Almaer at 5:51 am

3.7 rating from 16 votes

9 Comments »

Comments feed TrackBack URI

That means the black hat hackers where afraid of CIA if they didn’t tryed anything fishy on FB?

Comment by Adrian — August 8, 2007

what about:
=============
var exploit = new Function(”alert(’arbitrary code’)”);
exploit ();
=============
that’s what Neil did, but in a long way. :/

Comment by MatjaÅ¾ — August 8, 2007

Matjaz: Take a moment to read up on what FBJS is and how it works, the need for acrobatics will become clearer then. FBJS rewrites the code so that all global accesses are prefix by an identifier unique to your application. Any reference to the global “Function” get rewritten to something like “asdf_Function”. So it’s not as simple as what you propose, hence the “long way” (which has since been fixed by Facebook).

Comment by Neil Mix — August 8, 2007

I imagine FB are going to have to step very, very carefully to prevent XSS-style holes in this service. Fortunately they have Joe Hewitt on their side. ;)

Comment by Scott Schiller — August 8, 2007