For the last several years, ever since Facebook allowed third-party access to your data, your account with Facebook could have been taken over.
Not by Firesheep (although the principal is similar), but because of the third-party application actually leaking an access token outside of the conversation between you, Facebook and the third-party.
In a nutshell, the sequence of events allowing this are as follows:
- You’re logged in to Facebook, and want to play a game (start up a third-party application)
- The third-party application presents a permission dialog page, where you allow the application access to your friends, your personal information, and posting on your wall.
- The third-party application gets an access token from Facebook, which allows it to do all these things without you having to explicitly give them permission every time.
- That token is exchanged with Facebook every time the third-party issues requests.
So far it is very similar to the Firesheep issue. However, the twist here comes if the third-party application uses a legacy Facebook API:
- The access token is sent as part of the URL
- The application requests resources from another site (such as an advertiser).
- The advertiser receives the referring URL, which contains the access token.
Now the advertiser has the access token that the third-party application uses, and can use that to do the same actions you allowed that application. Best case it now has a list of your friends, worst case you’ve just given the advertiser the right to post on your wall.
And since requests are normally logged, it is even possible that when the advertiser’s site gets hacked, the hacker finds the log, containing these access tokens, and can do these same actions.
Symantec has identified this issue back in late April, and Facebook has since then taken steps to remedy this problem. However, none of these steps completely remedy the problem until September 1st, when the legacy API calls that allow this venue of attack are disabled, and replaced by OAuth.
So what can you do to prevent your account being used as a beach head of attack?
- Review what rights you’ve given to what applications, and delete rights you no longer use or think are unnecessary. This is done in Facebook under Account, Privacy Settings, Apps and Websites, Apps You Use.
- Insist on using HTTPS wherever you can, and think twice about third-party applications that do not support it.
- Change your password. Changing your password invalidates the previous security tokens.
Symantec states that to their knowledge no Facebook users were impacted by this issue. However, this is a definite possibility of attack, and a few good security principles can keep your account safe (or safer) from attacks.