Facebook vs Privacy

February 10, 2009 – 7:44 pm

Let me start (the post) by saying, I WILL FINISH THIS POST.

I need to do that because I have no less than 12 partially written posts sitting in draft form and a netsec post for NerdParadise waiting at about 70% complete. Additionally, other than just needing to get some new content out this post will give me a few moments to be grumpy about Facebook which is a good thing in my book…

Okay, Go.

Allow me to start (the content) with a little bit of background: last semester I took network security, we had to do a project relevant to the course material. Working with a friend of mine we decided to analyze personal information leakage on standard WiFi by way of session sidejacking and had a grand old time breaking into each others Facebook, Google (Mail, Calendar, Document, Chat), LiveJournal, etcetcetc. We finished the project, wrote a bit of a script that collected data from the network flow, automated the attack, and dropped data into collections sorted by IP (roughly, individual). All that fed into a write up with a brief discussion on ways that this could be prevented or the damage controlled (HTTPS or a hack to create a secure channel over HTTP I came up with) and the semester finished.

See? just a little background.. now, moving on.

For some reason I was thinking today about this project and I remembered a couple of old articles on Beacon in regards to privacy by Stefan Berteau and Jay Goldman. Both of these are good articles but neglect to mention that any website[0] making use of beacon is also resulting in enough information leakage to allow your facebook account to be compromised.

Sounds awful dramatic doesn’t it? Depending on where you stand it’s either dreadful or just a little annoying. As far as compromises though go it’s probably not a worst case scenario:

  • All your messages will be exposed
  • Social connections can be mined
  • Personal contact info (e-mail, phone #, address, birth date, hometown, etc) is available
  • Third-party applications can be installed

Any changes to e-mail, passwords, viewing credit cards, etc require password re-authentication so the Big Things are still protected. The biggest threat I can see is that a third-party app that somehow tracks you, phones-home, or installs malware might be added to your account. To really address that I need to take a look into the FB API which I don’t care enough to do. If anybody else does please let me know what you decide. =) Actually pulling this off isn’t that difficult, all you have to do is get on a shared WiFi network, start sniffing traffic and look for a beacon call [1] and pull the cookies off of that request. These cookies are what you use for the sidejacking and you’re off to the races.

I can already forsee threetwo potential comments about this (1) But I use Facebook only via HTTPS, doesn’t that protect me? (2) But I tell Facebook not to remember me, doesn’t that protect me? (3) But … I forgot.

(1) No, it doesn’t, for two reasons. First, even when you view facebook over HTTPS there are some cases in which it will load parts of a page (images, if I recall correctly) over an HTTP link which hoses your protection from HTTPS. Anyway, this totally misses the point which is that this particular attack is possible on websites other than Facebook. That is to say you can compromise access to your FB account by going to a Beacon partner site.
(2) No, from our tests telling facebook not to remember you doesn’t protect you completely. The way this attack works is to make facebook think that the attacker is you, that you haven’t left the site and that their connection with you wasn’t “interrupted.”
(3) I’ll get to you later…

This post would be incomplete without thinking a little bit about how much this increases your exposure and, honestly, I’m not sure it does. My reasoning is that even though Facebook has many beacon partners the actual use of any one of those partners is probably relatively small compared to the amount of time/requests made directly to the Facebook service which also has this problem. That said, even though this is a nifty trick it’s unlikely to actually cause any problems more than FB is already doing.

[0] There are quite a few according to Wikipedia
[1] it will be a request to a facebook.com server to /beacon… something like this – /beacon/action_toast.php?action_name=queue&urls=%5B%22http%3A%5C%2F%5C%2Fwww.epicurious.com%5C%2Frecipes%5C%2Ffood%5C%2Fviews%5C%2FRed-Velvet-Cake-with-Raspberries-and-Blueberries-108256%3Fmbid%3Dfbfeed%22%5D&source_id=5194643289&ref_url=http%3A%2F%2Fwww.epicurious.com%2Frecipes%2Ffood%2Fviews%2FRed-Velvet-Cake-with-Raspberries-and-Blueberries-108256%3Frecipename%3DRed%2520Velvet%2520Cake%2520with%2520Raspberries%2520and%2520Blueberries%26saved_to_box%3Dy…etc

  1. 2 Responses to “Facebook vs Privacy”

  2. What’s up Richard! WRT Facebook and https, they will actually bust you back to http with the next link that you click, even if you manually enter the https version of any URL.

    I think I took that same class… CNS, right? Stack smashing is fun.

    Anyways, take care.
    Sebastian

    By Sebastian on Apr 30, 2009

  3. Hah, good to know. We didn’t actually investigate too much once we saw the HTTP requests go out and carry the auth cookies.

    And it was just Network Security, we didn’t actually focus much on practicals – mostly math behind various encryption algos and bunch of secure authentication mechanisms.

    By Richard on May 20, 2009

Sorry, comments for this entry are closed at this time.