Why is Facebook Flaw Still Unpatched?Researcher Paid a Bounty, But Exploit Remains
A year after Facebook received a bug report regarding a loophole in its app architecture, the vulnerability remains exploitable, says the researcher who discovered this potential threat to user privacy.
Vivek Bansal, a Delhi-based app developer, discovered a loophole in Facebook's third-party app integration system that can be maliciously exploited by apps interacting with Facebook. Through this exploit, apps can post to a user's Facebook wall and, on behalf of the user, to their friend's walls - without the user's consent. Bansal says that this flaw remains exploitable as of this writing, and is a potential privacy concern for all Facebook users.
In response to Information Security Media Group's queries, Facebook says that this behavior was the result of a system that allowed apps to offer users the ability to interact with Facebook without having to ask for personal information like passwords. Facebook says it has countered this loophole with automated systems that monitor for abuse.
But Bansal says this is not good enough. "The flaw is still exploitable, and Facebook was not able to detect numerous posts I made to a test account, even after their 'patch.'"
Security and privacy experts say the onus is now on the users to only enable apps from trusted, reputed sources. Unfortunately, many times the user may not be the best judge.
How Exploit Was Found
Bansal discovered this issue in July 2013, while working with Facebook's APIs and Software Development Kit for an application build. He reported the vulnerability to Facebook in November 2013. "Facebook replied to me within five days, acknowledging my efforts," says Bansal, who received a bug bounty of $2000 for his disclosure and was added to Facebook's White Hat Hall of Fame.
Facebook requested Bansal withhold publishing the information until it could patch the bug. On January 15, 2014, Facebook told Bansal the bug had been patched and he could publish his findings. Bansal then posted a proof of concept video of the successful exploit. About 11 months later, Bansal discovered that the vulnerability was still present and exploitable using the same technique as before.
How It Works
Facebook provides access tokens to third-party apps for integration with the Facebook backend. Bansal demonstrates in his video and blog how these access tokens can be subverted even if Facebook identifies them as granting access only to basic information - a user's public profile, and access to the user's friend list. An app can be designed to post on any user's wall, even if it has received only basic, read-only permissions from the user.
In response to Bansal's disclosure last year, Facebook said that this behavior was the result of the SSO flow implementation that Facebook uses for seamless integration with their platform. To prevent the entire user session being disclosed to a native app by requiring the user to explicitly log-in inside the app, Facebook decided on a trade-off whereby these SSO tokens are allowed to establish a user's identity.
Facebook says that this discovered loophole makes it possible for a malicious native app to make posts of behalf of its users without their consent. Facebook is now counting on a number automated, behavior-based monitoring systems to safeguard against such abuse.
Prakhar Prasad, an independent Indian security researcher says, "Facebook may not be properly doing access control checks; they are considering user-developed apps having SSO access token to be 'fully trusted.'" Prasad says that checks at the backend should help in remediation, for example checking an attempt to post against the acquired permissions of the app.
That the security weakness exists is not in question. Facebook has not patched the flaw directly by fixing the root-cause, opting instead for workarounds - or compensatory controls. Posting messages is not prevented, but an automated mechanism exists to identify and remove such spam.
While compensatory controls can work well, given the privacy implications for over 1 billion users around the globe, questions remain over whether Facebook's approach has adequately mitigated the threat facing users.
This approach looks like an explicit design trade-off, says Chris Eng, vice president of research at application security firm Veracode. "Monitoring for behavior patterns is a reasonable approach. It's not surprising that they didn't catch it in an app that was used by one person (the bug reporter)," he says. Applications with a larger user base would be more likely to trigger their detection.
"Again, this is a trade-off; you have to tune your detection algorithms in a way that doesn't inundate your ops team with noise," Eng says. "You can bet that if the Twitter app, or some other popular app, started posting to people's timelines without permission, they'd notice the spike."
Eng believes Facebook does view this vulnerability as a risk, but perhaps only a minor one since it is not truly a privilege escalation from the user's perspective - it's more of an undesired behavior. "They issued a bounty, so they aren't disregarding validity, only importance." This still means that low-volume spamming would go undetected by Facebook's system unless flagged by users, making this an open vulnerability, rather than a 'patched' one, as Facebook claims.
Aditya Gupta, founder at Bengaluru-based application security firm Attify, says, "Such issues should have been considered from the very start, when developing the SDK and the platform." Fixing these kinds of issues later requires huge changes in the code base and, in some cases, the architecture. While he expects Facebook to address such issues in the next major code revision for its platform, he says, a fix now rather than later would have been the right move to make.