There are many unpatched loopholes or flaws in Facebook website, that allow hackers to inject external links or images to a wall, hijacking any facebook account or bypassing your social privacy. Today we are going to report about another unfixed facebook app vulnerability that allow a hacker to spoof the content of any Facebook app easily.
Nir Goldshlager from Break Security today exposed another major flaw that allows hacker to wall post spoofed messages from trusted applications like Saavn, Candy Crush, Spotify, Pinterest, or really any other application on Facebook.
In 2012 Facebook's method of publishing called stream.publish and the Stream Publish Dialog looks like the following:
https://www.facebook.com/dialog/stream.publish?app_id=xxxx&redirect_uri=https://www.facebook.com/&action_links=&attachment=%7B%27media%27:%20[%7B%27type%27:%20%27flash%27,%27swfsrc%27:%27https://files.nirgoldshlager.com/goldshlager2.swf%27,%27imgsrc%27:%27https://www.vectorstock.com/i/composite/41,30/hacked-pc-vector-194130.jpg%27,%27width%27:%27130%27,%27height%27:%27%20130%27,%27expanded_width%27:%27500%27,%27expanded_%20height%27:%27500%27%7D],%27name%27:%27xxxx%27,%27caption%27:%27xxxx%20Application%27,%27properties%27:%7B%27xxx%27:%7B%27text%27:%27Download%20xxx%27,%27href%27:%27https://nirgoldshlager.com%27%7D%7D%7D
Where app_id and attachment (swfsr,imgsrc,href) parameters can be targeted by hackers i.e using app_id value as application ID of any application you want to spoof (Saavn, Spotify, etc.) and an attacker must produce attachment parameters like swfrsc and imgsrc.
If the "Stream post URL security" option is disabled by the developer of that application, hacker can use any remotely uploaded swf file as attachment parameter.
"every time a victim visits my wall post, they will see content spoofing from a Facebook application that they generally trust. Clicking the link on the post makes an swf file from the external website execute on his client machine." Nir said.
But in 2013, Facebook changed the mechanism of stream.publish posting and introduced new parameters as explained below:
Few examples as given below:
"every time a victim visits my wall post, they will see content spoofing from a Facebook application that they generally trust. Clicking the link on the post makes an swf file from the external website execute on his client machine." Nir said.
- Link parameter: With this parameter, we will include our malicious external link (virus exe file, 0days, Phishing site, or any other malicious link.
- Picture Parameter: This parameter is only usable if we want to spoof the content with an image. The content of the image will only display correctly on our Wall post. It will not display correctly in the newsfeed, making it relevant only to wall post app spoofing.
- Caption Parameter: This parameter will allow to an attacker choose from which website the content came from, For Example: Facebook.com Zynga.com Ownerappdomain.com
- Name Parameter: This parameter produces the title we desire. Whenever the victim clicks on that title, he will be taken to our malicious website.
Few examples as given below:
- Diamond Dash:
- SoundCloud:
- Skype:
- Slidshare
Spoofing the parameters again allowing one to spoof the content of any Facebook app and flaw is still unpatched. This techniques can be widely used by cyber crooks to social engineer facebook users or to install malwares on their systems.