Tuesday, September 6, 2011

Hacking Facebook Applications - A HackingAlert Exclusive case study!!

Recently I had the honor to write for an upcoming magazine on hacking and Network security which is going to be launched this month. The chief editor of the magazine is a real hard working guy and he asked me to submit an article(cant name the topic). I went on to make some research on the worlds biggest laboratory ( internet :) !!)..Yes internet can be the world's biggest lab, at least for me. I was playing with the Facebook documentation on its platform when I learned a lot of new things about this hugely popular social networking website.

The post is to make my readers cautious about the various vulnerable facebook apps that are their. You have to be totally aware of what you are doing on Facebook as it has become the prime target of hackers now and they are designing lots of such apps to steal user information. So always be cautious of your actions on Facebook. You never know when "Facebook may become dirty".
I personally feel that the facebook's developer API is the worst documented API ever. Its really hard for a normal developer to work over it. I have tried numerous times to build up a social application on facebook but I have failed eveytime because of the hard-to-understand documentation provided on the facebook.

For those who dont have much idea about the facebook dev platform then you can visit the site https://developers.facebook.com/ . Even I am not an expert of this so cant explain things in detail. The entire documentation is too difficult to understand. 
Recently i started playing with lots of facebook apps as a part of my research. Its always fun to play and work together. Though facebook apps are too boring to add any fun still you can explore lots of things. 
I discovered a facebook app that has XSS vulnerability. XSS vulnerabilities in web apps is quiet common these days but the extent of vulnerability really matters. There can be some small scale XSS vulnerabilities which allow execution of some html tags. It can go bigger to second level and allow insertion of bigger and dangerous tags like iframe tag. And the most dangerous and the third level can be the case which also allows us to execute a shell through file inclusion. 
Fortunetly the facebook application that i tested had a type 2 XSS vulnerability. 
Actually the facebook platform will itself prevent execution of any third party script from outside owing to violation of policies so the third case is automatically removed.
The vulnerability that I found exists in the facebook app called Name - meaning . this app will tell the meaning of your name and is heavily used around facebook.
Let us see the hack.

NOTE - you will have to shift to http version of facebook in order to use this app and try this hack. Click on account settings and go to private browsing option. 

Let us visit the app on the following link http://apps.facebook.com/name_meaning/

The app contains a text box where you can enter your name and find out its meaning. Let us be fools now and inject a small script to test if the app is vulnerable. Trying the following script gave the output as shown in the figure : >"><script>alert("HackingAlert")</script>"  (be careful with this , its a bit different script from the usual , don't forget to use the quotes as well)

The alert message shows that the app is vulnerable and doesn't allow safe coding techniques to filter the user inputs. Let us take the attack further. Try some more html tags and you will enjoy it. 
The biggest enjoyment for a someone like me who has a slow adsense (this attack sky rocketed it! ) earning. Lets see how. 
Insertion of iframe tag within the it will display my blog within the area the app should be displayed. You can use Firefox's firebug plugin to search for the exact dimensions of the iframe that the app is using. All you have to do is create a hidden iframe with src=hackingalert.blogspot.com and enjoy. Look at the screenshot : 

If I now click on the adsense adds myself through this iframe then it will tell google that the clicks have originated form another source and will record the ip address of the app server rather than my IP address.
Here is the complete script that I injected in the input box of the app -

>"><script>alert("HackingAlert")</script><iframe src="http://hackingalert.blogspot.com" width="400" height="400"></iframe>"

As I stated earlier that the Facebook platform will prevent execution of any foreign script hence shell upload was not possible here. I have reported about this flaw to facebook, hoping t may get fixed soon. Hence the attack is limited only to surface hacking. 
To view the attack in action , here is the link ( make sure you are using firefox , and using http on facebook)



  1. Awsome post man....i tried and it worked.. :)

  2. Why are you teaching things that can be dangerous..stop using facebook if you have got problem

  3. good work..keep it up..

  4. You should report this to facebook.

  5. you have done a great job for facebook application developers by providing such a needy information.

    Good work buddy!

  6. This is really great u must be a expert hacker....

  7. Thanks for the experiment. It was very informative and useful. I keep in mind. Thanks a lot for sharing such a awe-some information.
    Android phone app development| Google android app development|

  8. You're awesome. How can i get in contact with you man? I could really use your help.

  9. This is interesting blog and so well maintained blog. Whole article is too good and well written.