While Facebook’s own security awareness seems to be quite high and no serious flaws have been found in their core software, the Facebook API and application platform has become a continual source of nightmares for their security professionals. With the API they have open and the amount of users available, every single third-party Facebook application must seem like a piece of low-hanging fruit for malicious injectors.
September has been declared the Month of Facebook App Bugs by security researcher, theharmonyguy. And he isn’t targeting small fries here either — the major exploits he has already located and disclosed exist in such widely installed apps as SuperPoke!, Causes, and Farmville. The latter two have nearly 30 million users as their install base EACH. That is 60 million people on Facebook who were vulnerable to malicious cross-site scripting and even trojan installation simply because they were using a Facebook app they assumed was secure.
That aura of third party security enforced by a second party should be ending. No one should trust a Facebook application… ever. Facebook simply isn’t checking them closely enough. Not only has he located XSS injections in the most popular Facebook apps but today he is going to highlight an SQL injection currently exposed by a Facebook Verified App (which means they supposedly went over the code to certify it secure). Hello, Bobby Tables!
Beginning tomorrow, September 1st, I will begin posting full technical details of cross-site scripting vulnerabilities that I have discovered in Facebook applications. Following the model of the Month of Twitter Bugs, I will notify each application developer 24 hours prior to revealing any holes. After 24 hours have passed, I will publish a new post on theharmonyguy.com with the title “FAXX Hack:” (for Facebook Application XSS/XSRF) and the name of the application… At this time, I have found five widely used Facebook applications vulnerable to XSS.