May 26, 2011

Protecting yourself from Facebook vulnerabilities

Facebook is a great social networking platform in which each of users have got a profile and wall. Over the recent month, facebook has been flooded with lot of malware applications and spammers. In such a risky environment on Facebook, it is very important to understand how to protect ourself from being the target.

Spam and Malware

To keep away from spammers and malware, the best mode of protection is to keep away from clicking untrusted and doubtful links and posts. Do not click ‘Allow’ blindly when some of application asks for permissions to access. Always read the type of permissions that an application uses, when it pops up ‘Allow’ - ‘Deny’ window. Give Allow permissions only to the trusted users. If you are not aware of how a facebook application works, here is short description. Facebook is a platform which provides several interfaces to the application developer to access the data related to users, pages, friends, events, photos, etc (The SocialGraph API). The application developer uses the API and writes the program that can manipulate the data provides through Facebook. They applications are hosted on the developer’s own servers. The facebook team doesn’t look at the application code to see what are these applications doing internally. Using the data access limits specified by the Application permissions, the developer can do any manipulations using the data.

Facebook Mobile - Vulnerabilities

Facebook mobile is an additional interface that Facebook facilities to use you mobile device to update wall, add friends, reply to friends, comment, upload, etc. There are good number of activities that facebook mobile can perform. See the facebook mobile page, http://www.facebook.com/mobile.

There are a few open vulnerabilities in Facebook. Two of them are Facebook Upload via Email and Facebook via Text Message.

Facebook via Text Message - The real villian ( Post on Anyone’s wall vulnerability)

I became a victim of Facebook via Text Message last day. Frankly, I never used Facebook via Text Message before and I didn’t sign up for the feature until today. Yesterday, It happened to see a new post on my facebook wall. It was just a ‘.’ in the post and seen that Posted using Text Message. I recently had installed Facebook app for android on my Nexus S. I thought that it is some bug in the Facebook App on mobile made the wall post. I tried to regenerate the same post on the wall using mobile. Later I understood that the badguy used the feature called Facebook via Text Message which I never used. I signed up for the service and tried out how it works.

I found that, once we link a mobile number to a facebook profile, if we send SMSmessages to 92FACEBOOK (9232232665) from our linked mobile number, the message will be posted on the wall. I was shocked to see such an insecure procedure. Even if you are not signed up with Facebook mobile - Text Message feature, your profile is exposed for vulnerability. If you had added a contact mobile number and verified it through facebook mobile verification process, that means you have subscribed vulnerability from facebook :)

The Facebook via Text Message system uses the sender’s mobile number to identify to which profile’s wall the text message is to be posted. Not only we can manipulate wall but also we can perform several activities through Facebook via Text Message. That means the vulnerability facilities the attacker to have complete control over your facebook activities.

SMS spoofing is one of the vulnerabilities in the SMS design. It is easy to send SMS messages to a person by changing the identity of the sender. In India, though all the SMS gateways do not allow spoofing of SMS message senders ID, there are still many paid and free SMS spoofing services from outside India. You can easily send SMS by tampering the Identity to anyone else.

If you have access to such an SMS spoofing service, you can set the mobile number (sender) corresponding to the facebook user whose wall is to be updated. By sending a spoofed SMS, we can easily update another one’s wall.

Protection

Facebook should really introduce some additional authentication token along with the SMS (Eg. a temporary authentication passcode along with SMS). From a user end, the best mode of protection is to remove the mobile number linked to the profile.

If you want to show your contact number along with the profile, add the contact number. But do not confirm the verification of the contact number asked by Facebook verification system. Thus your profile will be able to display your mobile number, at the same time you are protected from the attack.

Facebook Upload via Email

Facebook upload via E-mail is comparitively secure feature. If you navigate to the facebook mobile website, you can see a email address similar to [email protected]. This is a secret email address. By sending email to the specific email address attached with the facebook profile, the email messages will be posted to the wall. It is important to keep this e-mail address as secret and should not be exposed to your friends and strangers. Incase, you feel that it got exposes to someone you can reset the special email address linked with the account. Click find out more -> Refresh your upload email.

I request everyone to be aware of this serious vulnerabilities on Facebook and take preventive measures to protect your profile and your identity over internet.

Thank you.