Security Week 37: Facebook, Twitter and inflatable bugs

Near-market marketing experts now like to discuss that absolutely any message about a new product, technology or event is perceived better if there is a blockage in it. Or machine-learning algorithms. Similarly, any communication in the field of information security becomes more resonant if it mentions Facebook's social network. The information reality, heated by the scandal with the privacy of user data, is such that if one places the words "facebook" and "vulnerability" in one application, they react and cause an uncontrolled increase in clicks.
 
 
Security Week 37: Facebook, Twitter and inflatable bugs
 
Well, let's give up the will of this incomprehensible chemistry and we'll talk about what happened in Facebook last week. And at the same time remember what happened last week at Twitter. And in that case, and in the other there were microscopic bugs, independently discovered by company specialists, successfully closed with the maximum amount of precautions, the public was notified. But Facebook's "problem" is discussed by the whole facebook, a bug in Twitter is almost no one noticed. How so? Now we'll figure it out.
 
News . Detailed report sotsseti about the event.
 
 

 
And here's what. Facebook has (or rather, was, now does not work, see the screenshot at the beginning of the post) function View As . Available to all users, she allowed her profile to be viewed as if another person was looking at it. Because of the many privacy settings, this is a useful feature: it allows you to understand what strangers see on your page and what is not.
 
 

 
An important point: you can see the page "through the eyes" of some random visitor, but you can show how it looks from the point of view of a particular user, with a name and surname. It is this precision that brought developers to the monastery.
 
 
According to Pedro Canauati, Facebook's vice-president for "engineering, security and privacy", there are three different vulnerabilities. First, there was a bug in the very feature of View As. In theory, it should switch the context of facebook to another user in the "read only" mode, in the sense of "only viewing the user's page under which you logged in". In fact, in the View As mode, a field was also generated for posting the message. Secondly, this field did not work (correctly) in all cases except one: when you want to congratulate a person on his birthday and post a video. Third, when you post a video, the code to load this video itself generates a token, which could also be used as an access token from a mobile application.
 
 
That is, the scenario from the attacker's side is approximately the following. You create a profile or change the settings of an existing one so that you have a birthday today (uiiii!). Using the View As function, open your profile as another user. When you show a profile on behalf of another user, it (this other user) is invited to congratulate you on your birthday and upload a nice video. When the video is loaded, a token is generated. You take this token from the page code and in the mobile application go in with the name and with the rights of another user.
 
 
Then start a little bit of speculation. For example, do you need to be friends with the person on whose behalf you want to "see" your page? Judging by the descriptions (now idle) features on third-party sites - it is necessary. Now remember, how long did you ask friends that you did not know, but very persistent people? Having access to the token of one user, you can steal access keys to the account of one of his /her friends. And so on, theoretically to the extent limited by the theory of the six handshakes. That is practically unlimited scales.
 
 
Cool, yeah? It is interesting that the Facebook message, published on Friday evening (in Moscow), was anticipated by complaints users that they were being de-logged both from Facebook itself and from other services that were accessed using a social network account. These were the same precautions that Facebook has applied to the affected users.
 
 
Or supposedly injured? We must give credit to Facebook specialists - they told about the detected vulnerabilities in the most detailed and prompt manner. On September 1? according to them, they noticed suspicious activity, on the 25th it became clear what to what, on September 2? the information was made public - immediately after the "uninstalling" of the victims (which made any stolen tokens useless). But how exactly suffered those most affected - here Facebook expressed not very concretely. Perhaps they do not know for sure.
 
 
It is known that the vulnerability appeared in the service code in July 2017. Last week, Facebook forcibly disbanded 90 million users. Of these, 40 million are those in respect of which the feature View As was applied, that is, someone looked on their behalf on their page, not necessarily with criminal intentions. Another 50 million are those affected by the vulnerability (affected). So how did you "affect" something? In decoding press briefing has more information: about 50 million Facebook users know that their tokens have been extracted. That is (speculation!) Some people used the feature View As on their birthday, and then (perhaps!) Went from the same IP to another account. And most likely, the "suspicious activity" of September 1? which was mentioned by representatives of the social network, was an attempt to massively exploit the bug, which was suppressed a little more than a week.
 
 
Overall, Facebook reacted very well to the problem. He shared (as he could) detailed information, took action against the victims (real or potential). 50 (or 90) million people - on the Facebook scale this is a bit. However, given the concern about the privacy of social data given to social networks, it is understandable and increased attention to this incident. Positive moments are two. First, passwords were not stolen, and if there were any tools for unauthorized access to another's accounts, they were destroyed by "carpet unloading". Secondly, even if you were among the allegedly injured and even if someone really accessed your data, not everything that Facebook knows about you is in their hands. Because the real knowledge about Facebook users even with the users themselves does not divide .
 
 
And Twitter was lucky last week.
 
 

And what happened on Twitter?


 
News . Technical report social network.
 
 
In a sense, the bug found on Twitter is similar to what you found on Facebook. The hole was found in the API, which allows companies to communicate with customers - in general, it is an interface for mass mailing or receiving personal messages. If you communicated with someone using this API, then under certain circumstances, your correspondence could be in the hands of a third party.
 
 
Okay, even in this form it does not sound awesome. Practice is even more boring. First, only registered Twitter partners can use the API. Secondly, to make the bug work and personal messages went not there , both partners must (a) sit on the same IP, (b) work with the API using a URL that is completely the same as after the slash (www.xxx.com/twitter_msg and
? www.yyy.com/twitter_msg
is a coincidence), (c) it's unsuccessful to contact Twitter servers in one time, limited to six minutes.
 
 

 
That's when all this is the same, the carriage turns into a pumpkin a poorly tuned cache Twitter begins to spit messages anywhere, more precisely - in a strictly defined direction of the unique coincidence of the pitfalls. In general, it is not surprising that the bug in Facebook caused much more resonance than the hole in Twitter, although the characteristics of both bugs are quite similar. Both there and there, apparently, there was an oversight when updating the code in a complex infrastructure. It is likely that someone cut a couple of angles when filming a new feature in production: this often happens if a circle is flying over you around the manager with the words "quickly zapilite me vidosy for birthday!".
 
 
The magnitude of the damage is startling. Take any company is smaller, and a vulnerability at 5% of the audience no one would have noticed. And here we are talking about tens of millions of people. What about this? In the blog of Kaspersky Lab, it's reasonable not to do nothing . In the long term, I recommend the following exercise. Whatever you send to the Internet, even in the most private-perereprivatnuyu service, imagine for a moment that you post this same message across all the pillars of your city. If the message does not seem harmless in this context, maybe it is not worth sending it.
 
 
Disclaimer: The opinions expressed in this digest may not always coincide with the official position of Kaspersky Lab. Dear editorial staff generally recommends that you treat any opinions with healthy skepticism.
+ 0 -

Add comment