futtta's blog

I just received confirmation from the Google Security Team that the bug I discovered in the iGoogle Facebook Gadget which allowed attackers to log into an other user’s Facebook account bypassing all authentication, has been fixed. So now that the hole has been closed, let’s look at what was happening, shall we?

The gadget uses the Facebook’s Javascript API to the connect with Facebook, asking you for permission to access your FB data. In the process of getting that authorization, the gadget exchanges tokens with Facebook, some of which should absolutely be kept safe from prying eyes. And that’s where things went wrong: the gadget had the authentication info in the URL. So if a user of the iGoogle Facebook gadget clicked a link to an external site in the news feed, the request for that page had a referrer that contained all authentication-info.

And that’s exactly what happened on last week, when I spotted this referrer in my blog stats:

http://facebookiggadget.appspot.com/?exp_rpc_js=1&exp_track_js=1&st=c%3Dig%26e%3DAPu7icpJzJJhOouS8TuGegSqFHHI8XHU1r55OllrNbk0ey/aTpkUFx9jPKB/cwgcEZoGfcBuc43x/CuzuEL2cQinYglFvhFWKtlXg6j/JtKC0%252BWsAu3vo/3ZR/WA64J/Fmw1YuUFgT7q&v=fdb2b406636e1f3cff1c5d7e660f59eb&container=ig&view=home&lang=nl&country=BE&up_session=%7B%22uid%22:%221165373488%22, %22session_key%22:%2291d52d2ed5a130fd941b11f1-1175373488%22, %22secret%22:%22fdee68961b3cdee5b51390a4bdeac7a0%22,%22expires%22:0, %22access_token%22:%2283101558C90fd9KfA9KJQh5uT98TqIjxQpzUi4.%22,
%22sig%22:%22dd635ef67af1f59c1c671215076cce10%22%7D&parent=http://google.be&libs=7ndonz73vUA/lib/liberror_tracker.js,iHKb-4mKuMY/lib/librpc.js,vrFMICQBNJo/lib/libcore.js,a5j4V1JuNVE/lib/libsetprefs.js&is_signedin=1&synd=ig&view=home

You can guess what happened when I opened that URL; the iGoogle Facebook gadget initialized using the embedded credentials, automatically logging me in as the guy that was unlucky enough to have clicked the link to my blog.

But how could this vulnerability have been exploited, you may ask? Well, easy enough; create a page that is viral enough for people to share or like  (likespam or even likejacking) and wait for users of the iGoolge Facebook-gadget (there’s over 1 million of them after all) to follow the links, feeding your webserver logfiles with credential-rich referrers.

As Google confirmed this bug indeed has been fixed. The new version of the gadget, which was deployed late last week, does not leak credentials in the referrer-URL any more:

http://facebookiggadget.appspot.com/?lang=en&country=us&.lang=en&.country=us&synd=ig&mid=101&ifpctok=6472409229927695377&exp_rpc_js=1&exp_track_js=1&exp_ids=17259&parent=http://www.google.com&libs=7ndonz73vUA/lib/liberror_tracker.js,iHKb-4mKuMY/lib/librpc.js,vrFMICQBNJo/lib/libcore.js,a5j4V1JuNVE/lib/libsetprefs.js

So if anyone asks me what my good deed for this year was; I helped protect 1 million people’s Facebook accounts from being hacked.

Sounds swell, no?

I by chance discovered a severe security vulnerability in iGoogle’s Facebook-gadget (more than 1 million users!), which allows an attacker to log into an other user’s Facebook account, bypassing authentication.

I contacted the author and the Google security team and they confirmed there appears to be a problem which they’ll look into. While they do so, I would strongly advise everyone not to use the iGoogle Facebook gadget. Once the hole is closed, I’ll provide more info on how this could be exploited.

I like Facebook. I like sharing stuff there, I like liking friends’ activities and I like friends sharing and liking my links and posts. But I really, really don’t like Facebook’s Like buttons and similar boxes! Because I see some serious problems with the like button;

1. The page containing the “like”-widget loads and renders significantly slower (i.e. performance impact)
2. Facebook can track me visiting this page, even if I don’t click on “Like” (i.e. privacy issue)
3. When I do click “Like”, I have no way of checking what will be shown on Facebook. And indeed the buttons are already being used to spread spam, malware is expected to be next (i.e. security risk)
4. “Liking” a page enters me into a relationship with the page owner, allowing them to “publish updates to the user [and] target ads to people who like [their] content” (i.e. 2nd privacy issue, severely aggravated by the security risk)

No, call me old-fashioned, but I’m much more at ease with the normal Facebook share-mechanism;

• a simple link, so no performance impact
• no contact with Facebook unless clicked on, so tracking of my surfing behavior is not possible
• an intermediate screen shows what you’re about to share, meaning a much lower security risk
• no forced relationship with the  page owner, i.e. “avert 2nd privacy-risk: CHECK”

But as I can’t force site-owners to remove the “Social Widgets”, I can only install something like No FB Tracking to disable the virus that is the Facebook Like-button. And whine about it on my blog, off course.

A couple of days ago the redesigned Facebook website was launched and I guess around the same time they also pushed a new versions of their 2 mobile sites to their production servers.

With the redesign, the “low-end” m.facebook.com seems to have stayed more or less the same. One could argue that it did not need to change, as it had all a mobile user could wish for. But the same could not be said of the “high-end” version on iphone.facebook.com, which offered not more but less functionality than little m. But that ragged iphone is gone and the new high-end mobile site, which lives on touch.facebook.com, now finally provides high-end functionality as well. A couple of screenshots, for the visually oriented (compare with previous printscreens of the old iphone-site here):

Although I miss the status-info that previously was displayed on the friends-page, this redesign in general is spot on! It incorporates many of the features that one would expect from one of the most popular mobile platfoms in the world. You can finally “like”, comment and see who already did, there’s a nice red notification-icon in the top left corner (for comments only, “likes” don’t seem to trigger a notification), you’ve got access to your Facebook phonebook (now if only there was an “export” functionality as well, loosen up Mark, it’s our data to begin with) and to the pages you subscribed to as well.

So congrats Facebook, a job well done. Makes me wonder, why would one even bother installing that official Android Facebook app?

With all the attention going to native Facebook-applications for the iPhone, Blackberry, Symbian and now also Android, one would forget that there is a mobile Facebook-website as well. Better yet, there is not one but two mobile website; http://m.facebook.com and http://iphone.facebook.com.

The difference? The iPhone-version (or ‘high-end’, as it works on my Android-devices as well) looks a lot more beautiful, but the m-one has all the features one would expect from a mobile version of the Facebook site. Just look at these (low quality) screenshots;

Facebook home on M and iPhone:

Facebook profile on M and iPhone:

Facebook friends on M and iPhone:

Basically, except for the default friends-page, iphone.facebook.com does not in any respect offer more or better functionality than the “low-end” version. On the contrary; the iPhone-version doesn’t even come close when compared to m.facebook.com.

Dear Facebook; bling isn’t everything and I really don’t want to install your application, so kudo’s for creating a strong, feature-rich mobile site on m.facebook.com, but do implement at least the same functionalities on iphone.facebook.com. And add some smart html5/gears-based wizardry (just look at what Google does for mobile gmail) to bridge the gap with native apps while you’re at it, maybe?

Gisteren bij Peter Decroubele lekker ouderwets gereageerd op zijn tekst over hoe blogs aan populariteit lijken in te boeten ten voordele van Facebook en Twitter. En Peter linkt daarbij ook lekker ouderwets door een blogpost van Bruno Peeters over hetzelfde onderwerp. Al dat bloggrn, linken en reageren ondergraaft mijn hieronder hernomen (en lichtjes geredigeerde) reactie misschien enigszins, maar uitzondering en regel en diens meer zeker?

Met de opkomst van Facebook en Twitter is het belang van blogging als sociale netwerktool sterk verminderd. Statusberichtjes tussen de soep en de patatten laten zich nu eenmaal makkelijker schrijven dan regelmatige, min of meer vlot leesbare blogposts.

Ook het aantal reacties (en trackbacks en linken) lijkt overigens af te nemen, ten voordele van eenvoudiger (short-)URL’s, retweets, twitter-replies, facebook-comments en andere “vind ik leuk”-s. Blogs volgen, erop reageren en andere comments tracken is door het decentrale karakter van weblogs en door de beperkingen van feedreaders immers veel minder makkelijk. Ik krijg op Facebook dan ook gemiddeld meer respons op mijn daar automatisch geïmporteerde schrijfsels dan op m’n blog zelf (alhoewel dat ook van het onderwerp afhangt).

Dat alles betekent volgens mij overigens helemaal niet dat bloggen zal verdwijnen. maar ik denk dat het wel (terug?) meer maxi-dagboek en mini-journalistiek zal worden, zonder de “social” hype en zonder het incrowd-sfeertje (dat op Twitter een nieuwe thuis heeft gevonden). En al bij al is dat misschien toch niet zo’n slechte evolutie?

Ik ben liever lui dan sociaal, zelfs op Facebook. Ik laat de software dus mijn werk doen; de feeds van mijn blogposts, mijn Google Reader shared items en mijn YouTube uploads en favorites worden geïmporteerd en verschijnen zo automatisch op mijn ‘prikbord’ en -als Facebook het correct doet tenminste- in de ‘stroom’ op de homepage van mijn virtuele vrienden ^(*). Dezelfde feeds worden overigens ook op de lifestream-pagina op mijn blog en op mybloglog geaggregeerd.

Twitteraars (nee, ik ben nog steeds niet mee) synchroniseren hun kortspraak met een Facebook-applicaties van Twitter zelf. Nu is die twittersphere een raar wereldje, waar ingewijden in hoog tempo tweeten en daarbij ook nog eens een heel eigen taaltje spreken. Want wat te denken als je op Facebook dit voorbij ziet komen;

RT @ubertwit: om 18h twunch met @twitaholic en @tweeter in #pizzahut gent, reply @twunch als je er ook zal zijn

Voor twitteraars een duidelijke boodschap (vertaling beschikbaar bij je twitterende buurjongen), maar als deze tweet volautomatisch in de context van Facebook wordt gegooid, is dit “utter gibberish” waar je FB-friends niets aan hebben. Nee, dan is de “Selective Twitter update”-applicatie een veel beter alternatief; enkel tweets waarin #fb voorkomt worden daarmee geïmporteerd. Ik zou mijn Twitterende Facebook-vrienden dan ook vriendelijk willen vragen om een beetje selectief te zijn met wat ze op Facebook gooien. Uw context is de mijne immers niet!

^(*) Hoe je zelf moet importeren in Facebook? In je profiel op de ‘settings’-knop onder het status-update venster klikken en je zou iets moeten zien dat op het screenshot hierboven lijkt.