Tag Archives: facebook

Google Security says “Thanks Frank”

A few weeks ago I received the following in a mail from Google;

As a small token of appreciation for helping keep Google’s users safe and secure, we’d like to credit you on our website.

And indeed, yesterday my name was added to the “Honorable Mention” paragraph on Google’s Security Hall of Fame.

I don’t consider myself a security expert by any measure (although I am very interested in web app security) and I discovered that vulnerability in the iGoogle Facebook gadget merely by chance, but it’s nice to see my name (and a link to this blog) up there! Thanks for thanking me Google!

Binnenkort Blog Action Day over Water

‘t Is maar om te zeggen dat ik hier op 15 oktober (Blog Action Day) iets stichtelijks over water zal schrijven. Misschien over flessenwater en de Facebook-pagina “100.000 leden voor kraantjeswater in restaurants”?

Ge moet daar overigens maar al eens naar gaan kijken, naar die pagina, dan ziet ge hoe ge als Communications Dikkedeur van pakweg een flessenwater-bedrijf niet met sociale media moet omgaan. Van de weeromstuit gaat ge misschien “kraantjeswater-fan” worden, ook al zit dat niet in uw genen, al dat Facebook-fan-gedoe.

De rest is voor de 15de en voor “Water no get enemy” van Fela Kuti, hier door zoon Femi en een handvol nobele onbekenden;

Watch this video on YouTube.

StuBru, Facebook and why we need (something like) Diaspora

Earlier this month Facebook deleted the official Studio Brussel page, cutting the Flemish youngster radio station off from their 114.000 fans. StuBru didn’t receive information on why the page was deleted, just a vague statement that they breached the Facebook Terms. It took a week to get the page restored, but nonetheless web-editor Stijn Van Kerkhove raved (translated from Dutch);

We were surprised when our website got deleted, but we’re even more pleasantly surprised to be back.

“When our website got deleted”, seriously Stijn? A Facebook-page isn’t a website and it isn’t yours either, ultimately. When on Facebook you are (and I am) at the mercy of a private company that has absolute power over anything you do on its premises. Facebook decides what pages look like, Facebook decides what you can and cannot post and Facebook reserves the right to expel you from their community for whatever reason they do or don’t come up with.

Given the increasing importance of social networks in our lives and economy (and the never-ending privacy-problems with Facebook), I do believe that we’d be better of with a open, decentralized system which does not have a sole (commercial) owner with absolute power. That’s why it’s a good thing that Diaspora exists, even if the alpha code they released a couple of days ago is not up to expectations. That’s why status.net (and identi.ca) are great. And that’s why OStatus, an open standard for following friends and sharing statuses on distributed social networks which is already implemented in status.net and which will probably go into Diaspora as well, is incredibly important.

And on a vaguely related note; that Facebook-movie by Aaron Sorkin and David Fincher looks great, doesn’t it:

THE SOCIAL NETWORK – Official Trailer (HD)

Watch this video on YouTube.

Don’t bury RSS just yet

RSS is dead and Facebook and Twitter killed it! Or at least that’s what some web & trend-watching bloggers conclude from the demise of Bloglines, the once cutting-edge web-based feedreader. And indeed, people are increasingly discovering news items and memes through their friends’ status updates, re-tweeting or -sharing stuff they deem interesting. And yes Flipboard, which scans your Facebook & Twitter feeds for links (scraping content from the pages instead of using feeds, to the dismay of some publishers), is the talk of the iTown. Look ma, no RSS!

But hold your horses; do you know what the most requested feature for Flipboard is? Integration with Google Reader and the ability to include RSS-feeds is in high demand as well! And while we’re at it, Google Reader seems not to be doing too bad either, according to their own stats, probably because Reader -as opposed to Bloglines- continuous to evolve,  integrating a slew of social features. Reader is also the primary source for Feedly, a popular browser add-on that offers a magazine-like view on subscribed feeds. And proving RSS is not dead yet, Automattic last week launched Subscriptions on wordpress.com, which displays your subscribed feeds in a stream-like fashion, including the writer’s profile picture and a ‘reblog’ and ‘like’ button (i.e. resembling what Peter Van Dijck proposed earlier that day).

Even if RSS-readers would ever become marginalized, RSS and similar standardized XML-based newsfeeds (think Atom) are indispensable to syndicate content from one site in another application. After all, how do you think news outlets and blogs feed their content into Twitter and Facebook in the first place?

iGoogle Facebook gadget security flaw fixed & explained

I just received confirmation from the Google Security Team that the bug I discovered in the iGoogle Facebook Gadget which allowed attackers to log into an other user’s Facebook account bypassing all authentication, has been fixed. So now that the hole has been closed, let’s look at what was happening, shall we?

The gadget uses the Facebook’s Javascript API to the connect with Facebook, asking you for permission to access your FB data. In the process of getting that authorization, the gadget exchanges tokens with Facebook, some of which should absolutely be kept safe from prying eyes. And that’s where things went wrong: the gadget had the authentication info in the URL. So if a user of the iGoogle Facebook gadget clicked a link to an external site in the news feed, the request for that page had a referrer that contained all authentication-info.

And that’s exactly what happened on last week, when I spotted this referrer in my blog stats:

http://facebookiggadget.appspot.com/?exp_rpc_js=1&exp_track_js=1&st=c%3Dig%26e%3DAPu7icpJzJJhOouS8TuGegSqFHHI8XHU1r55OllrNbk0ey/aTpkUFx9jPKB/cwgcEZoGfcBuc43x/CuzuEL2cQinYglFvhFWKtlXg6j/JtKC0%252BWsAu3vo/3ZR/WA64J/Fmw1YuUFgT7q&v=fdb2b406636e1f3cff1c5d7e660f59eb&container=ig&view=home&lang=nl&country=BE&up_session=%7B%22uid%22:%221165373488%22, %22session_key%22:%2291d52d2ed5a130fd941b11f1-1175373488%22, %22secret%22:%22fdee68961b3cdee5b51390a4bdeac7a0%22,%22expires%22:0, %22access_token%22:%2283101558C90fd9KfA9KJQh5uT98TqIjxQpzUi4.%22,
%22sig%22:%22dd635ef67af1f59c1c671215076cce10%22%7D
&parent=http://google.be&libs=7ndonz73vUA/lib/liberror_tracker.js,iHKb-4mKuMY/lib/librpc.js,vrFMICQBNJo/lib/libcore.js,a5j4V1JuNVE/lib/libsetprefs.js&is_signedin=1&synd=ig&view=home

You can guess what happened when I opened that URL; the iGoogle Facebook gadget initialized using the embedded credentials, automatically logging me in as the guy that was unlucky enough to have clicked the link to my blog.

But how could this vulnerability have been exploited, you may ask? Well, easy enough; create a page that is viral enough for people to share or like  (likespam or even likejacking) and wait for users of the iGoolge Facebook-gadget (there’s over 1 million of them after all) to follow the links, feeding your webserver logfiles with credential-rich referrers.

As Google confirmed this bug indeed has been fixed. The new version of the gadget, which was deployed late last week, does not leak credentials in the referrer-URL any more:

http://facebookiggadget.appspot.com/?lang=en&country=us&.lang=en&.country=us&synd=ig&mid=101&ifpctok=6472409229927695377&exp_rpc_js=1&exp_track_js=1&exp_ids=17259&parent=http://www.google.com&libs=7ndonz73vUA/lib/liberror_tracker.js,iHKb-4mKuMY/lib/librpc.js,vrFMICQBNJo/lib/libcore.js,a5j4V1JuNVE/lib/libsetprefs.js

So if anyone asks me what my good deed for this year was; I helped protect 1 million people’s Facebook accounts from being hacked.

Sounds swell, no? ;-)

Severe vulnerability in iGoogle Facebook-gagdet

I by chance discovered a severe security vulnerability in iGoogle’s Facebook-gadget (more than 1 million users!), which allows an attacker to log into an other user’s Facebook account, bypassing authentication.

I contacted the author and the Google security team and they confirmed there appears to be a problem which they’ll look into. While they do so, I would strongly advise everyone not to use the iGoogle Facebook gadget. Once the hole is closed, I’ll provide more info on how this could be exploited.

Why I dislike Facebook’s Like widgets

I like Facebook. I like sharing stuff there, I like liking friends’ activities and I like friends sharing and liking my links and posts. But I really, really don’t like Facebook’s Like buttons and similar boxes! Because I see some serious problems with the like button;

  1. The page containing the “like”-widget loads and renders significantly slower (i.e. performance impact)
  2. Facebook can track me visiting this page, even if I don’t click on “Like” (i.e. privacy issue)
  3. When I do click “Like”, I have no way of checking what will be shown on Facebook. And indeed the buttons are already being used to spread spam, malware is expected to be next (i.e. security risk)
  4. “Liking” a page enters me into a relationship with the page owner, allowing them to “publish updates to the user [and] target ads to people who like [their] content” (i.e. 2nd privacy issue, severely aggravated by the security risk)

No, call me old-fashioned, but I’m much more at ease with the normal Facebook share-mechanism;

  • a simple link, so no performance impact
  • no contact with Facebook unless clicked on, so tracking of my surfing behavior is not possible
  • an intermediate screen shows what you’re about to share, meaning a much lower security risk
  • no forced relationship with the  page owner, i.e. “avert 2nd privacy-risk: CHECK”

But as I can’t force site-owners to remove the “Social Widgets”, I can only install something like No FB Tracking to disable the virus that is the Facebook Like-button. And whine about it on my blog, off course.