Researcher reveals how Facebook Notes can be used to DDoS sites

Share this article:
Trojan makes rounds on Facebook via IMs
Facebook responded to his findings, calling the attack scenario "interesting," but one it wouldn't fix.

A programmer has divulged how the Facebook Notes feature can be used to launch distributed denial-of-service (DDoS) attacks against websites.

In a blog post this weekend, researcher Chaman Thapa said that the DDoS abuse is possible due to Facebook's protocol of allowing HMTL image tags in notes.

“Facebook Notes allows users to include <img> tags,” Thapa wrote in the Sunday blog post. “Whenever a <img> tag is used, Facebook crawls the image from the external server and caches it. Facebook will only cache the image once, however, [and by] using random GET parameters the cache can be bypassed and the feature can be abused to cause a huge HTTP GET flood.”

By creating a list of unique image tags, and using m.facebook.com to create notes, Thapa was able to create several notes, which were each responsible for sending an influx of HTTP request to the target server, he wrote.

In only a couple of seconds, he was able to send thousands of GET requests to the designated server.

Thapa disclosed the issue to Facebook's bug bounty program on March 3, but after being alerted to the issue, the company ultimately said that the attack scenario was “interesting/creative,” – but one the company didn't intend to fix due to the logistics involved.

Thapa posted the email correspondence with Facebook (which occurred April 11) in his blog post.

“In the end, the conclusion is that there's no real way to us fix this that would stop ‘attacks' against small consumer grade sites without also significantly degrading the overall functionality,” Facebook told Thapa.

“Unfortunately, so-called ‘won't fix' items aren't eligible under the bug bounty program, so there won't be a reward for this issue. I want to acknowledge, however, both that I think your proposed attack is interesting/creative and that you clearly put a lot of work into researching and reporting the issue last month. That IS appreciated and we do hope that you'll continue to submit any future security issues you find to the Facebook bug bounty program.”

In a Friday email to SCMagazine.com, a Facebook spokesperson further explained the company's decision on addressing the bug.

“Ultimately, we decided against making changes to avoid disrupting intended and desirable functions,” the spokesperson wrote.

Via his blog, Thapa also revealed that similar DDoS abuse can be carried out using Google's Feedfetcher tool. According to a Google support page, Feedfetcher allows Google to grab RSS or Atom feeds when users add them to their Google homepage or Google Reader.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Hackers grab email addresses of CurrentC pilot participants

Hackers grab email addresses of CurrentC pilot participants

Although the hack didn't breach the mobile payment app itself, consumer confidence may be shaken.

Operators disable firewall features to increase network performance, survey finds

Operators disable firewall features to increase network performance, ...

McAfee found that 60 percent of 504 surveyed IT professionals prioritize security as the primary driver of network design.

PCI publishes guidance on security awareness programs

PCI publishes guidance on security awareness programs

The guidance, developed by a PCI Special Interest Group, will help merchants educate staff on protecting cardholder data.