Wednesday, June 1, 2011

Potential Facebook Security Issue

Facebook introduced its tagging feature (in wall posts) not too long ago. Since then, almost everyone I know on Facebook has learned to tag their friends in both status updates and comments. But one thing that I haven't seen much of, yet something that could be a security concern, is the ability to tag pages in wall posts using the '@' reference. This works well when the page is on Facebook, such as the company's official Facebook page or a product or service. Here is an example of tagging a company's page on Facebook:

When the user presses 'enter,' the tag is converted into a link that takes anyone clicking it to the official Grooveshark Facebook page.

The word "Grooveshark" becomes a link that directs the user clicking it to the Facebook page for Grooveshark. However, not all pages are contained within Facebook. For example, prior to recent changes (Facebook changed the "liked" links into wall post stories rather than a recent activity), a "page" could be created from any page on the web with Facebook's like button installed. Here is an example from Blogspot blog with a random post.

(Keep in mind that this only works with pages that have been "liked" previously and does not work with new posts).

Clicking "Like" under the post causes a post to be made to your Facebook profile wall saying that "user x likes page y." However, in this case, it simply says "User X likes 'did that five year old I just saw have a cell phone?'" The name of the page is a clickable link redirecting to the original blog page (as it should for viral purposes). Now here is where the potential vulnerability comes into play. Since Facebook treats these older "likes" as pages, the user can "tag" the page as well.

This creates a link, which is posted on the user's wall to the original blog post.

So essentially, this creates a problem because we have links that are masked by text (the same way they are around the web). However, this is especially problematic on Facebook because users will almost always click a link posted by their friends without investigating the underlying URL. It is important to remember that the owner of the original blog post still has complete control over that web page. He or she can redirect it, add malicious code, etc., and there is nothing Facebook can do about it.

Now imagine if the above link said "This video is hilarious!" It looks like a trustworthy post from a friend. But in reality, it's a post made by a rogue application that obtained permissions to post to the user's wall. The text "This video is hilarious!" could redirect to any page on the web.

Fortunately, this problem is not a large one. First, it is hindered by the fact that very few users are aware that they can tag pages. Secondly, Facebook has stopped treating new "likes" as pages and instead treats them as links, displaying their full URLs. However, the problem can still exist on older pages, of which there are millions.

To protect against this threat, always be aware of where the link is going. On Facebook (and any other site), hovering over the link reveals the URL at the bottom of the screen.

This isn't a major security issue with Facebook, nor will it probably be corrected. However, it is important to continually monitor Facebook before clicking any links.

No comments:

Post a Comment