Wednesday, August 8th, 2007

Facebook JavaScript and Security

Category: Social Networks

<>p>Neil Mix was skeptical that FBJS could be secure. He then quickly found a couple of holes but didn’t disclose them until he had chatted with the Facefolk.

Neil is publishing the exploits after they are fixed. What a nice white hat he wears:

Facebook Security Hole #1:

The first security hole was the easiest and least interesting hack. It bypasses access control #1 by making use of an old, arcane behavior of the setTimeout method, namely that you can pass a string as the code to execute:

javascript
< view plain text >
  1. setTimeout("alert('arbitrary JavaScript')", 1);

Facebook (or more specifically Marcel Laverdet) fixed this by checking the datatype of the first argument to setTimeout

Facebook Security Hole #2

Neil got access to running arbitrary code via the Function constructor.

javascript
< view plain text >
  1. var F = (function(){}).constructor;
  2. var exploit = new F("alert('arbitrary code'));
  3. exploit();

The fix was simple:

javascript
< view plain text >
  1. Function.prototype.constructor = null;

Neil has four more in the bag, so hopefully we will see then as soon as Facebook fixes them. It is good to see the community working with Facebook on the issues, instead of just throwing up arms.

Related Content:

Posted by Dion Almaer at 5:51 am
10 Comments

+++--
3.8 rating from 31 votes

10 Comments »

Comments feed TrackBack URI

That means the black hat hackers where afraid of CIA if they didn’t tryed anything fishy on FB?

Comment by Adrian — August 8, 2007

what about:
=============
var exploit = new Function(“alert(‘arbitrary code’)”);
exploit ();
=============
that’s what Neil did, but in a long way. :/

Comment by Matjaž — August 8, 2007

Matjaz: Take a moment to read up on what FBJS is and how it works, the need for acrobatics will become clearer then. FBJS rewrites the code so that all global accesses are prefix by an identifier unique to your application. Any reference to the global “Function” get rewritten to something like “asdf_Function”. So it’s not as simple as what you propose, hence the “long way” (which has since been fixed by Facebook).

Comment by Neil Mix — August 8, 2007

I imagine FB are going to have to step very, very carefully to prevent XSS-style holes in this service. Fortunately they have Joe Hewitt on their side. ;)

Comment by Scott Schiller — August 8, 2007

just posted in my blog …

delete Function;(this.Function||parent.Function)("alert('safe?')")();

Comment by Andrea Giammarchi — August 8, 2007

uhm … above behaviour is correct only in a sandbox (but it works with FireFox, everytime)

Comment by Andrea Giammarchi — August 8, 2007

Where can I get the demo?

Comment by atshya — August 9, 2007

I need some help. Can anyone tell me how can i use javascript with face book. i cannot even use alert(). Please explain as well.

Comment by zaheer — August 9, 2007

I cannot use facebook properly, it keeps telling me to upgrade the javascript, how do i do this ?

Comment by KirstenLeanneFaux — April 23, 2008

I’m 12 years old, and what is this?

Comment by Ectara — December 2, 2009

Leave a comment

You must be logged in to post a comment.