Many Facebook apps lack simple security checks

One important question surrounding consumer use of third party social applications has always been security: how do social networks like Facebook keep security quality high amongst tens of thousands of applications (especially when many of them are written by inexperienced or non-commercial programmers)? Facebook is known for taking privacy and security extremely seriously, yet the Platform is highly valued by developers because of the detailed access to user profiles and friend lists it allows.

“Social hacker” theharmonyguy, who has identified security lapses in some of the most widely used Facebook and OpenSocial applications, is one developer taking the “white hat” approach (helping app developers fix things before going public). In a recent post, he describes how simple tactics like placing FBML in query strings could lead to injection attacks – in other words, an easy way for malicious parties to place potentially harmful code inside Facebook applications.

Many applications, including popular ones, will render messages on a page by adding a query string.  The problem is that the canvas page then takes the query string parameter and inserts it without any filtering.  That allows a hacker to insert FBML into the parameter, which will then be rendered by the application – I’ve inserted iframe’s into several apps.  I’m not exactly sure how much of a security issue this is, since something like an iframe can’t easily spoof application authentication parameters, but it certainly seems like a problem waiting to happen.  Furthermore, in one OpenSocial application, I used this same technique to insert HTML/JavaScript into pages.  Take note: any input parameters that are rendered in a page should be escaped first to avoid injection attacks.

Many Facebook apps, just like many websites, are susceptible to simple tactics like this. But inside Facebook, security lapses in applications could lead to a lack of trust in Facebook itself. However, while holes in kissing or friend comparing apps may just to embarrassment, security holes in financial services applications could lead to more significant consequences – like identity theft.

“Social network environments dramatically increase the social engineering risk,” said Scott Mitic, Founder and CEO of identity theft prevention company TrustedID. “However, this is not unique to Facebook. In fact, I’m not aware of any identity theft issues from the way Facebook handles personal information right now. However, things do get more risky when dealing with gateways to the financial world.”

According to Mitic, peer to peer lending applications within Facebook and other social networks are the apps most likely to be targets for potential hackers. Preventing back door access to private accounts under the guise of a trusted platform, service, or friend will be an increasingly important security problem in the coming months and years. As previously reported, Facebook is launching an in-house payment platform so that developers don’t have to solve these problems themselves.

Facebook’s Terms of Service say that, “ALL USE OF THE FACEBOOK PLATFORM IS PROVIDED ‘AS IS’ AND AT YOUR OWN RISK.” Hopefully, technologists like theharmonyguy will help developers keep their apps secure; a major application security breach would be bad for everyone involved.

Recommended articles