Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Facebook CSRF attack allows personal information theft
From: Ronen Z <ronen () quaji com>
Date: Thu, 20 Aug 2009 14:24:28 +0300

A vulnerability in the Facebook Application API allows the construction of a
malicious Facebook application that collects user's personal information
including: Full name, profile picture and friends list. Full name and
picture of the friends are also accessible. The information is collected
without user knowledge or consent.

It is possible to launch the attack via an HTML IMG tag which greatly
increases the severity of the breach because there is no need to have the
user access the attacker's site. Instead, any online blog or forum that
allows IMG tags in comments can be used. The user needs only to load the
relevant page to launch the attack. The attack elegantly ends with a valid
image so the page renders normally, and the attacked user does not notice
that anything peculiar has happened

This amounts to a unique kind of CSRF attack in which both the user's
browser is tricked into performing an action without user consent (divulging
personal information), and the attacker's server is the direct recipient of
this action (via the Facebook app server).

Demonstration and discussion of the attack:

Full disclosure and details:

The specific vulnerability used here has just been patched by Facebook, but
it's likely that it is still possible to launch this type of attack using
other mechanisms and other social networks.

Ronen Zilberman
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • Facebook CSRF attack allows personal information theft Ronen Z (Aug 20)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]