For this post, I’ll be talking about how I spoof the content of any app on Facebook. I’m also going to talk about a few of the “unfix”: bug found in Facebook (some of which still work). These bugs provide attackers with avenues to inject external links or images to a wall (newsfeed) post that appear to come from trustworthy apps like Soundcloud or Candy Crush, Most rated Facebook Games / Apps.
But, what exactly does “spoofing app content” entail?
It basically means that an attacker can post content that appears to come from a trusted application onto the wall or newsfeed of a victim.
You can find content from Saavn, Candy Crush, Spotify, Pinterest, or really any other application on Facebook.
Facebook has a somewhat interesting method of publishing called stream.publish. (http://fbdevwiki.com/wiki/FB.ui#method:_.27stream.publish.27),
This essentially allows you to post on your wall with a Facebook Application for post stream attachments.
The Stream Publish Dialog will look like the following:
This dialog contains a few noteworthy parameters:
2. attachment (swfsr,imgsrc,href)
The attacker must first provide the app_id value for the victim application (Saavn, Spotify, etc.).
Saavn’s app_id is: app_id = 126986924002057
At this point, an attacker must produce attachment parameters like swfrsc and imgsrc.
What occurs if the attacker uses the swfsrc parameter to load swf files that come from an external website (in this case, nirgoldshlager.com)? Will Facebook permit this type of action? It actually seems that Facebook’s default setting is to allow loading external swf files from literally any domain that uses the swfsrc parameter. In reality, there is a feature called Stream post URL security meant to ward off these kinds of attacks. In theory, an app developer using this protection on their Facebook Developer account will not incur attacks of this nature because attackers can’t load external swf files.
Even so, I discovered a way to get past this protection by eliminating the href parameter (href=).
Facebook rightfully blocks my request to validate the original domain (xxx.com) of the owner app (xxx) using the href parameter
To bypass it, I used a blank value in the href parameter:
For this attack, I utilized the imgrsc and swfsrc parameters to load swf files from an external domain (http://xxx.com).
PoC Bypass (Fixed By Facebook Security in 2012):
PoC Video (Fixed in 2012):
This bug allowed me to load any amount of swf files from any domain.
Thus, every time a victim visits my wall post, they will see content spoofing from a Facebook application that they generally trust. Clicking the link on the post makes an swf file from the external website execute on his client machine.
In the following video example, I opened a new tab on the victim client that redirects him to my website (nirgoldshlager.com) with the use of an external swf file.
Bug 2 (The “Unfix” Content Spoofing Bug)
Now let’s go over the unfix content spoofing Facebook app bug.
Facebook eliminated the stream.publish option in 2013, instead opting for a Feed Dialog (https://developers.facebook.com/docs/reference/dialogs/feed/) to publish app activity.
In this Feed Dialog, we’ll use some parameters to perform the content spoofing app bug.
Link parameter: With this parameter, we will include our malicious external link (virus exe file, 0days, Phishing site, or any other malicious link.
Picture Parameter: This parameter is only usable if we want to spoof the content with an image. The content of the image will only display correctly on our Wall post. It will not display correctly in the newsfeed, making it relevant only to wall post app spoofing.
Caption Parameter: This parameter will allow to an attacker choose from which website the content came from, For Example:
Name Parameter: This parameter produces the title we desire. Whenever the victim clicks on that title, he will be taken to our malicious website.
Use Stream post URL security=Enabled in App settings (developers.facebook.com), To prevent content spoofing on your App,
Bonus Video (Advanced Spoofing Apps Links, Fixed By Facebook Security 2012):
Use Stream post URL security=Enabled