lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu, 20 Aug 2009 14:24:28 +0300
From: Ronen Z <ronen@...ji.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Facebook CSRF attack allows personal information
	theft

A vulnerability in the Facebook Application API allows the construction of a
malicious Facebook application that collects user's personal information
including: Full name, profile picture and friends list. Full name and
picture of the friends are also accessible. The information is collected
without user knowledge or consent.

It is possible to launch the attack via an HTML IMG tag which greatly
increases the severity of the breach because there is no need to have the
user access the attacker's site. Instead, any online blog or forum that
allows IMG tags in comments can be used. The user needs only to load the
relevant page to launch the attack. The attack elegantly ends with a valid
image so the page renders normally, and the attacked user does not notice
that anything peculiar has happened

This amounts to a unique kind of CSRF attack in which both the user's
browser is tricked into performing an action without user consent (divulging
personal information), and the attacker's server is the direct recipient of
this action (via the Facebook app server).

Demonstration and discussion of the attack:
   http://blog.quaji.com/2009/07/facebook-personal-info-leak.html

Full disclosure and details:
   http://blog.quaji.com/2009/08/facebook-csrf-attack-full-disclosure.html


The specific vulnerability used here has just been patched by Facebook, but
it's likely that it is still possible to launch this type of attack using
other mechanisms and other social networks.


Ronen Zilberman
http://quaji.com

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ