Researcher reveals how Facebook Notes can be used to DDoS sites
Facebook responded to his findings, calling the attack scenario "interesting," but one it wouldn't fix.
“Facebook Notes allows users to include <img> tags,” Thapa wrote in the Sunday blog post. “Whenever a <img> tag is used, Facebook crawls the image from the external server and caches it. Facebook will only cache the image once, however, [and by] using random GET parameters the cache can be bypassed and the feature can be abused to cause a huge HTTP GET flood.”
By creating a list of unique image tags, and using m.facebook.com to create notes, Thapa was able to create several notes, which were each responsible for sending an influx of HTTP request to the target server, he wrote.
In only a couple of seconds, he was able to send thousands of GET requests to the designated server.
Thapa disclosed the issue to Facebook's bug bounty program on March 3, but after being alerted to the issue, the company ultimately said that the attack scenario was “interesting/creative,” – but one the company didn't intend to fix due to the logistics involved.
Thapa posted the email correspondence with Facebook (which occurred April 11) in his blog post.
“In the end, the conclusion is that there's no real way to us fix this that would stop ‘attacks' against small consumer grade sites without also significantly degrading the overall functionality,” Facebook told Thapa.
“Unfortunately, so-called ‘won't fix' items aren't eligible under the bug bounty program, so there won't be a reward for this issue. I want to acknowledge, however, both that I think your proposed attack is interesting/creative and that you clearly put a lot of work into researching and reporting the issue last month. That IS appreciated and we do hope that you'll continue to submit any future security issues you find to the Facebook bug bounty program.”
In a Friday email to SCMagazine.com, a Facebook spokesperson further explained the company's decision on addressing the bug.
“Ultimately, we decided against making changes to avoid disrupting intended and desirable functions,” the spokesperson wrote.
Via his blog, Thapa also revealed that similar DDoS abuse can be carried out using Google's Feedfetcher tool. According to a Google support page, Feedfetcher allows Google to grab RSS or Atom feeds when users add them to their Google homepage or Google Reader.