Posts Tagged ‘facebook’
Posted on May 26, 2011 - by Sarath
Protecting yourself from Facebook vulnerabilities
Facebook is a great social networking platform in which each of users have got a profile and wall. Over the recent month, facebook has been flooded with lot of malware applications and spammers. In such a risky environment on Facebook, it is very important to understand how to protect ourself from being the target.
Spam and Malware
To keep away from spammers and malware, the best mode of protection is to keep away from clicking untrusted and doubtful links and posts. Do not click ‘Allow’ blindly when some of application asks for permissions to access. Always read the type of permissions that an application uses, when it pops up ‘Allow’ – ‘Deny’ window. Give Allow permissions only to the trusted users. If you are not aware of how a facebook application works, here is short description. Facebook is a platform which provides several interfaces to the application developer to access the data related to users, pages, friends, events, photos, etc (The SocialGraph API). The application developer uses the API and writes the program that can manipulate the data provides through Facebook. They applications are hosted on the developer’s own servers. The facebook team doesn’t look at the application code to see what are these applications doing internally. Using the data access limits specified by the Application permissions, the developer can do any manipulations using the data.
Facebook Mobile – Vulnerabilities
Facebook mobile is an additional interface that Facebook facilities to use you mobile device to update wall, add friends, reply to friends, comment, upload, etc. There are good number of activities that facebook mobile can perform. See the facebook mobile page http://www.facebook.com/mobile/
There are a few open vulnerabilities in Facebook. Two of them are Facebook Upload via Email and Facebook via Text Message.
Facebook via Text Message – The real villian ( Post on Anyone’s wall vulnerability)
I became a victim of Facebook via Text Message last day. Frankly, I never used Facebook via Text Message before and I didn’t sign up for the feature until today. Yesterday, It happened to see a new post on my facebook wall. It was just a ‘.’ in the post and seen that Posted using Text Message. I recently had installed Facebook app for android on my Nexus S. I thought that it is some bug in the Facebook App on mobile made the wall post. I tried to regenerate the same post on the wall using mobile. Later I understood that the badguy used the feature called Facebook via Text Message which I never used. I signed up for the service and tried out how it works.
I found that, once we link a mobile number to a facebook profile, if we send SMSmessages to 92FACEBOOK (9232232665) from our linked mobile number, the message will be posted on the wall. I was shocked to see such an insecure procedure. Even if you are not signed up with Facebook mobile – Text Message feature, your profile is exposed for vulnerability. If you had added a contact mobile number and verified it through facebook mobile verification process, that means you have subscribed vulnerability from facebook 
The Facebook via Text Message system uses the sender’s mobile number to identify to which profile’s wall the text message is to be posted. Not only we can manipulate wall but also we can perform several activities through Facebook via Text Message. That means the vulnerability facilities the attacker to have complete control over your facebook activities.
SMS spoofing is one of the vulnerabilities in the SMS design. It is easy to send SMS messages to a person by changing the identity of the sender. In India, though all the SMS gateways do not allow spoofing of SMS message senders ID, there are still many paid and free SMS spoofing services from outside India. You can easily send SMS by tampering the Identity to anyone else.
If you have access to such an SMS spoofing service, you can set the mobile number (sender) corresponding to the facebook user whose wall is to be updated. By sending a spoofed SMS, we can easily update another one’s wall.
Protection:
Facebook should really introduce some additional authentication token along with the SMS (Eg. a temporary authentication passcode along with SMS). From a user end, the best mode of protection is to remove the mobile number linked to the profile.
If you want to show your contact number along with the profile, add the contact number. But do not confirm the verification of the contact number asked by Facebook verification system. Thus your profile will be able to display your mobile number, at the same time you are protected from the attack.
Facebook Upload via Email
Facebook upload via E-mail is comparitively secure feature. If you navigate to the facebook mobile website, you can see a email address similar to darner986injure@m.facebook.com. This is a secret email address. By sending email to the specific email address attached with the facebook profile, the email messages will be posted to the wall. It is important to keep this e-mail address as secret and should not be exposed to your friends and strangers. Incase, you feel that it got exposes to someone you can reset the special email address linked with the account. Click find out more -> Refresh your upload email.
I request everyone to be aware of this serious vulnerabilities on Facebook and take preventive measures to protect your profile and your identity over internet.
Thank you.
Posted on December 30, 2010 - by Sarath
Pics-packet – A facebook application to download photos from facebook
I was busy with lots of interesting things and some upcoming projects. I have been hectic due to authoring of a book. I will lift the veil and post with more details in few weeks .
Recently I had opportunity to look at the facebook Socialgraph API. Found it really cool. I never expected this much from the API. We can access every element that we access through facebook.com with the API. The SDK comes with so many languages like JS, PHP and more. It was interesting to go through the documentation page: http://developers.facebook.com/docs/.
Facebook API presents an interesting Facebook Query Language (FQL) which has similar syntax of SQL. Using FQL we can access entire data available on Facebook to be manipulated in the form of tables. As a simple example, there is a table ‘friends’ having two columns friend1 and friend2. We can get the list of friends for a user by using their user ID. Each user is provided with a user ID. My Facebook UID can be found out here : http://graph.facebook.com/sarath.lakshman.
Hence using the query “SELECT friend2 from friends where friend1=UID” we can fetch the list of friends user IDs. Using this IDs, by querying in the table ‘user’, we can get the names of the friends.
When I had to download photos from some of my facebook friends photo albums and tagged photos. I found it hard to manually filter out URLs and download the photos. But, after went through the facebook API, I had a thought ‘what if I could write a simple application to fetch all the photo URLs for a friend’s albums. In a couple of minutes, I wrote an FQL query to list all the photo URLs and downloaded the photos using wget. I forwarded by thought, I felt it would be great if there is some utility to build a zip of all photos from albums of a friend we search for. Also if we could get the photos by user tag that would be great. In the next day I started working on it. I remember it was a night. It wrote code in the entire night and I forgot to sleep. Before the sun rises, the the facebook application was completed with basic stuff. I showed the application to few of my friends and received the feedback that it would be great if we could download selected photos as zip. I thought of making the application public after designing a cool UI and feature enhancement. But I delayed in lack of time to work on it. I wasn’t getting enough time to hack on it. Last day I decided to make whatever I had written public with a feature addition to download selected photos. The facebook application pics-packet is public now. I have submitted the app for approval in facebook app directory.
I’m sorry guys. It has a poor UI and less-efficient code. It needs tuning. Unfortunately, I don’t have enough time to hack on it now. Maybe, will work on it later.
Here is the app:
and on facebook canvas: http://apps.facebook.com/picspacket/.
NOTE: Before you try the app, please go through the help. Else UI might seem confusing for you.
Happy hacking!
My Book
Follow
Random Photos
Solve real-world shell scripting problems with over 110 simple but incredibly effective recipes.