Wednesday, August 8th, 2007
Category: Social Networks
<
>p
>Neil Mix was
skeptical that FBJS could be secure. He then quickly found a
couple of holes but didn't disclose them until he had chatted with the Facefolk.
Neil is publishing the exploits after they are fixed. What a nice white hat he wears:
Facebook Security Hole #1:
The first security hole was the easiest and least interesting hack. It bypasses access control #1 by making use of an old, arcane behavior of the setTimeout method, namely that you can pass a string as the code to execute:
JAVASCRIPT:
-
-
setTimeout("alert('arbitrary JavaScript')", 1);
-
Facebook (or more specifically Marcel Laverdet) fixed this by checking the datatype of the first argument to setTimeout
Facebook Security Hole #2
Neil got access to running arbitrary code via the Function constructor.
JAVASCRIPT:
-
-
var F = (function(){}).constructor;
-
var exploit = new F("alert('arbitrary code'));
-
exploit();
-
The fix was simple:
JAVASCRIPT:
-
-
Function.prototype.constructor = null;
-
Neil has four more in the bag, so hopefully we will see then as soon as Facebook fixes them. It is good to see the community working with Facebook on the issues, instead of just throwing up arms.
- Ajax weakest link seen in JavaScript
"JavaScript is just very hard to secure," says Dr. Brian Chess, chief scientist at Fortify Software Inc., "and Ajax proponents are not acknowledging...
- Chapter 22: JavaScript security
JavaScript continues to find adherents. But this scripting language can be used by malicious hacks to eat up memory .. and worse. Learn about Java...
- JavaScript Learning Guide
This SearchDomino.com guide introduces you to JavaScript in a Notes/Domino environment, explains best practices and pitfalls to avoid and provides...
- Adobe recommends disabling JavaScript to avoid PDF hack attack
Users of Adobe Reader should disable JavaScript to avoid a zero-day hacking attack on the PDF document reader...
- JavaScript hijacking
JavaScript hijacking is a technique that an attacker can use to read sensitive data from a vulnerable Web application, particularly one using Ajax...
That means the black hat hackers where afraid of CIA if they didn’t tryed anything fishy on FB?
what about:
=============
var exploit = new Function(“alert(‘arbitrary code’)”);
exploit ();
=============
that’s what Neil did, but in a long way. :/
Matjaz: Take a moment to read up on what FBJS is and how it works, the need for acrobatics will become clearer then. FBJS rewrites the code so that all global accesses are prefix by an identifier unique to your application. Any reference to the global “Function” get rewritten to something like “asdf_Function”. So it’s not as simple as what you propose, hence the “long way” (which has since been fixed by Facebook).
I imagine FB are going to have to step very, very carefully to prevent XSS-style holes in this service. Fortunately they have Joe Hewitt on their side. ;)
just posted in my blog …
delete Function;(this.Function||parent.Function)("alert('safe?')")();uhm … above behaviour is correct only in a sandbox (but it works with FireFox, everytime)
Where can I get the demo?
I need some help. Can anyone tell me how can i use javascript with face book. i cannot even use alert(). Please explain as well.
I cannot use facebook properly, it keeps telling me to upgrade the javascript, how do i do this ?
I’m 12 years old, and what is this?