Facebook Apps Leak User Info. So do Linkedin? (Linkedin worm take 3)
Posted by Giap Nguyen | Filed under worm, linkedin
UPDATE: Linkedin already confirm and fix the issue. I will work for take 4.
I just read Facebook Apps Leak User Info from Mashable. It is time to repeat my points about security on social networks: they (social networks) are "smart laser-guided weapons" for hackers. I'm planning to demo attacking over social networks - start with Linkedin (and then twitter, fb). Even they all are currently mature and well-protected but I believe that it is hard to eliminate all security issues. Here are my take 1 and take 2 to create a worm spread over Linkedin connections. Although critical bugs will be reported for Linkedin - so the code not work at the time it's blogged - but some less one may be still there.
Well when I read about Facebook Apps bug; I think about Linkedin third party applications. Linkedin have something called opensocial api . Briefly, it allows third parties write their own application which shared user's information with Linkedin.
Interesting that every Linkedin applications run on a embedded iframe with a same source
src =www.lmodules.com/opensocial/ifr?url=... Clearly, there is a weak point that is any malicious LI application jump into other application (by Same Origin Policy). And they can view or change information on behalf of the users. The attack vector is a malicious app load a hidden frame which open other apps. Because of rule of Same Origin Policy, the attack app is able to control the other app's lmodules iframe to run arbitrary javascript code on the user's session.
- Hey but so far there is no evil third-party right?
The problem is you even don't need an evil third party, you only need a buggy app. Find a XSS bug on any apps, it allows you inject your own code into lmodules iframe; then you can jump into all other apps.
- That's fine; but I don't "install" any Linkedin app?
Well almost my friends don't have one. Technically, you don't give permission for any apps access your information. In fact, Linkedin have some their own apps (Event, Buzz, Poll ...) and ... by default you "grant" access permission for them.
At the end of the post, I demonstrate the attack. I use an XSS bug on lmodules.com domain to attack a hidden Event app. If you can see your information and list of your friends; it means the vulnerabilities are still working. The screenshot from my own account.
Notice: I still work to bypass IE XSS filter, so if you use IE browser the exploit not work. (Well done IE team). Huh I must develop a fuzzy tool in future. I perform a "3-stages" XSS to defeat IE 8 XSS filter. I will blog about it later.
- Ok, it not a big deal?
Well, opensocial API are still developing. There are no much information can leak from the issue. But still enough to write a worm. Use CreateActivity api, I can post an message on behalf of users which visible to his or her connections. If they click on the link and then ...
- Well, it is fun but it still not a big deal?
Back to my point about social networks are "smart laser-guided weapons":
Attack arbitrary targets is not too difficult. You can run a vulnerabilities scanner against Internet. I sure that you can find many vulnerable targets. But you end up with massive deface, destroy data or better create a botnet.
Attack certain targets is harder. The most difficult part is how to collect the target information. How to make contact with them. How to find their trusted source so on ... Just like the current issue, I can know who you are, what your friends. I can make the browser ping back my server to capture your IP, your Location. And if you use a buggy browser or Flash plugin; you may be injected by a custom trojan (which invisible with antivirus softwares). Recently, a report “How to Hack Millions of Routers.” released at BlackHat conference by Heffner. Users who connect to the Internet through those devices and are tricked into visiting a page that an attacker has set up with Heffner’s exploit could have their router hijacked and used to steal information or redirect the user’s browsing. It means if attacker target your company, they can use your browser to attack local network.