Researcher details Facebook CSRF flaw
Ronen Zilberman said that to be infected, a user must merely open a non-related website, ideally an online forum, where the attacker has seeded a malicious image tag link. If successful, the perpetrator could evade privacy settings and retrieve victims' full names, profile pictures and friend's lists.
He described the cross-site request forgery (CSRF) vulnerability -- which Facebook has since fixed -- Wednesday on his Quaji blog.
Much of the blame for the bug rests on a site feature known as "Automatic Authentication," Zilberman said. This component allows Facebook applications to receive personal information about a user when he or she visits the application's "canvas page."
But Zilberman found a way for the hacker to receive that same information without the user knowingly interacting with any application. He was able to embed an IMG tag on a third-party website. If a user visited the site, Facebook would believe the user was actually interacting with the application, and thus the attacker could receive the data.
"We need a way to trick Facebook into (thinking) the app page it is (clandestinely) accessing is a result of the user's interaction," he said. "It turns out that a simple redirect from one page to another in the same application fools Facebook because the second request originates from a Facebook URL (the first request).Therefore, the second request activates 'Automatic Authentication' and personal info is sent."
Facebook has fixed the problem, but Zilberman said the issue could be present across other social networking sites.
"Our team pushed a fix for this bug on Monday, shortly after it was reported to us, and before the details were made public," Facebook spokesman Simon Axten told SCMagazineUS.com on Friday. "The information exposed was very limited and included only the user's name, Facebook user ID, profile picture, and list of friends. User privacy settings were also respected. That is, if you had hidden certain information from platform applications, that information was still inaccessible. We have no evidence that the bug was ever used for malicious purposes."