Formspring.me, a newly popular social networking site, has a fundamental cross site scripting flaw that allows one logged in user to steal another user’s session, but also may allow users to find out who posted a nasty comment about them. A key complaint about the site is that you can not find out the identity of an anonymous user.

Update: Kudos to Formspring.me, even though it was hard to initially report the problem, they corrected it in about an hour from opening a post on their technical support forum, a nice turnaround by any standard.

Formspring.me

Formspring.me is a six month old social networking question and answer site. The web site has come under scrutiny following a few recent news stories involving incidents with teenagers, the site’s primary demographic. The first notable incident was where a fight broke out over comments on the site. More notably, however, is the story of Alexis Pilkington, a 17 year old West Islip, NY High School graduate who committed suicide after dozens of insulting comments had been made to her on the site.

From comments on the site, these are not isolated incidents, and its fairly clear Formspring needs to come up with a better model:

Is it possible for you to delete an account for harrassment if the posts were anonymously posted? I received 18 threats last night that I followed up with a police report to my local PD. I have the police report number, as of yet I have not deleted my account so that if you needed to access it to see the post you could. Please advise.

I need to know how to go about finding out who send a message to my daughter’s account. The message says.. that she would be better off dead.

I would appreciate it if Formspring will work with our local Santa Barbara Police Department and the Santa Barbara Sheriff Department to find the person that was impersonating my daughter.

Such problems have led to various organized boycotts, letters home from school officials, and coverage under the topic of cyber-bullying in a number of news outlets.

The Big Issue People Have

One of the primary complaints about the web site is the anonymity of questioners. Hiding behind the veil of anonymity has allowed, mostly teenagers, to make nasty remarks to each other they would probably not make under their own names (although frankly the Internet is a wild place). Largely as a result of this, a good deal of time has been spent trying to figure out a way to determine: “who said that about me?”. That is at least according to the articles I’ve been reading. Formspring won’t help you with anonymous questions, as it states in their support forums

But here’s an answer to that question, or at least a method: a way to grab another user’s session only knowing user name because of a web site vulnerability present in the Formspring web site.

1. We have two users: Tester21 and Tester25. Since they have such close names, they’ve decided to follow each other using the site’s People->Find People and Follow functions.

2. Tester 25 goes to www.formspring.me and asks Tester21 a question:

   

   Ask another user a question.

   
   

3. But that’s kind of boring, so Tester25 asks a better question:

<script>alert(document.cookie);</script>

4. Tester21 logs in and sees he has a question:

Malicious script, dutifully encoded by Formspring.me.

<a href="#" rel="question">
&lt;script&gt;alert(document.cookie);&lt;/script&gt;</a>
<span class="askedBy">asked by <a href="http://www.formspring.me/tester25" rel="profile">tester25</a>

5. Glad Formspring has protected him from revealing his session cookie by properly encoding output, Tester21 makes a note to drop that loser Tester25 from his Follow list and clicks Home:

The home screen preview executes the Javascript.

What Happened?

A preview function on the home page shows the user the last pending question they’ve received. If its the one that is the cross site scripting string, the script executes. In this case its only the classic alert box demonstration, but anything that can be accomplished with Javascript is possible.

Another Random Issue

It appears formspring.me actually logs users in as someone else sometimes without any interaction, as evidenced by this user complaint:

Hi, everytime i want to go to my home page or feeds on my friends answered questions, i keep going to random people’s homepage or their feeds, anyway i can fix this?

Why is Disclosure this Difficult?

After numerous attempts to sign up for the Support section of the site so we could notify Formspring of this defect, we finally just posted an issue in their Technical Support forum as the notification. They need to think about adding a screen or e-mail address for reporting security issues, ala Twitter and other sites.

Finally

So assuming someone is acting as an anonymous user, but has given more information in their profile (e-mail, etc.) then the person who wants to know who they are could send them a variation of the “poison question” above that steals that user’s session (likely this would involve sending the user’s cookies to another web site, having a script running there that grabs the cookies and perhaps logs in in as that user and changes the user’s password which essentially takes over the account). From taking over the account the attacker gains access to any information filled out in the profile (could be nothing if Anonymous uses dummy information and an anonymous e-mail) and can post and answer questions as that user.

Additionally by searching out people making use of the Formspring widget, you don’t even really need to be a Formspring user yourself to post the XSS string to a Formspring user’s account.

The problem above is magnified in that many users connect their Formspring accounts to Facebook and Twitter (meaning a person who has taken over the account can then post messages to these other two social networking services).

In terms of actual impact, its unclear that user’s would have any truly sensitive information available in their profiles, making information disclosure a low risk (assumes the user didn’t post sensitive information themselves). Birthday and e-mail are probably the only two fields that could be considered user confidential. So the primary issue is session hijacking. Is it a big deal? It probably is not, other social networking sites had similar issues in their first six months of existence, it is just something that should be corrected.

As for Formspring itself, and the issues people are having with anonymous users, this is probably worthy of its own blog post. There are a number of sites that allow anonymous comments to be posted, and the web is famous for snarks and nastiness in online comments. That said, having experienced these problems so publicly, and being a web site that is used primarily by young people, Formspring would be best advised to remove the anonymous question capability to avoid libel, cut down on police investigations, and get itself out of the negative press for a while. Call it the price of being popular.

A special thanks to ethicalhack3r for bouncing some ideas around.

Related Posts:

• F-Secure XSS on Anti-Theft Website
• XSS Flaw on PayPal.com
• Pentagon Web Site Vulnerabilities Identified

• <3 <3 <3 @T3ETH NXT TIME REALNESS PIC A BETTER PASSWORD!!!! PVNKS UNITE!!!
• <3 LADY GAGA – NO HATE INTENDED!!!! CAN’T WAIT 4 THE MONSTER BALL!!!!
• …butt LADY GAGA RULEZ THE WORLD!!!!! Warhol are you listening?!!
• I swear my dick is not as big as T33TH’S!!!! POPWRLDSUCKZ!!! PUNX UNITE!!!! <3
• GAGA PEECE FOR LYFE!!!
• Hay my babies!!! LOVE GAGA??? LOVE T33TH!!! http://www.myspace.com/teethdance

Strange tweets showing up in Lady Gaga's tweetstream.

London band Teeth.

The London band T3eth, suspected of hacking the account.

Anonymous?

The lone offensive tweet references the Internet hoax that suggested Lady Gaga was a hermaphrodite, perpetuated initially by the Youtube video below and a fake quote:

It’s not something that I’m ashamed of, just isn’t something that I go around telling everyone. Yes. I 
have both male and female genitalia, but I consider myself a female. It’s just a little bit of a penis 
and really doesn’t interfere much with my life. The reason I haven’t talked about it is that it’s not a 
big deal to me. Like come on. It’s not like we all go around talking about our vags. I think this is
a great opportunity to make other multiple gendered people feel more comfortable with their bodies. 
I’m sexy, I’m hot. I have both a poon and a peener. Big f*cking deal. 
- Attributed to Lady Gaga

I only bother including the video, because it contains a reference to another famous Internet group: Anonymous. No conspiracy, its just amusing to see Guy Fawke in the beginning of the video hanging out with the Lady Gaga crowd.

Anonymous hanging out at the Lady Gaga concert.

Members of Anonymous protesting scientology.

Britney

On Friday, Britney Spears appeared to be letting us in on a previously unknown penchant for devil worship:

The appearance of the Britney Spears Twitter account on Friday.

Why is this News?

Celebrities having their Twitter accounts cracked doesn’t seem like a new problem, and indeed Britney did report herself dead via Twitter back on June 28th. But there is a difference, and that is that many of the openings for easily brute forcing the Twitter password via the web site have closed. Note I said easily, don’t spam the comments with speculation on how the account was compromised (unless its high quality speculation), we know quite well that Twitter is still far from security nirvana.

Twitter has been slowly closing loop holes in their authentication process over the course of this year. Back in September we pointed out the reCAPTCHA implementation on login that shows up when you enter too many bad authentication attempts, a key difference in the process from when the rash of prominent account break-ins occurred earlier in the year (including the notable crack of a Twitter admin’s account). Twitter has more recently started to lock out accounts for an hour when they provide too many bad passwords (a lousy idea from a security perspective, but we’ll get into that some other time).

In Breaking Twitter we showed how Twitter rate limits were not enforced as advertised in their API documentation, allowing brute force of passwords via the API. Well that hole has somewhat closed (we’ll touch on that in a future post as well).

Now in the Lady Gaga case, Teeth seems to be admitting that they successfully guessed the password, so fair enough for that one. What about the Britney case? Because what was once a very obvious avenue of attack (point password brute forcing tool and click) has become a little less obvious. Maybe its someone in her entourage, or Kevin Federline?

PoPo Zao.

Update

• Lady Gaga had this to say today: “Seems as though my twitter was hacked yesterday. I could be angry, except I secretly love how psychotically smart my fans are.”
• It looks like Lady Gaga’s password was: JustDance1. Explains why it was easy to guess, that’s the title of one of her initial hit songs. Hopefully she doesn’t fall into the category of using the same password on every web site.

References

• Gnash Your Teeth
• Lady Gaga’s Twitter hacked?

Related Posts:

• Persistent XSS on Twitter.com
• James Lipton says “Don’t tweet your junk”
• “Hi. This you?? LOL” Twitter Attack Snares Kevin Mitnick
• Facebook’s Faith: A New Scareware Attack
• Breaking Twitter (authentication)

At 11:49am on October 17th an update was made to Bradford’s Facebook profile: “WHERE MY IHOP?”, a message to his pregnant girlfriend. This update was one minute before two men were robbed at gun point in the Farragut Houses in Brooklyn where Bradford lives. At the time of this robbery, the robbery he faced charges for, Bradford claims he was sitting at the computer at his father’s apartment in Harlem making this Facebook update despite his being identified by a witness at the Farragut Houses.

“If it wasn’t for Facebook I’d still be on Rikers Island.”
Rodney Bradford

So like any good defense attorney would, Reuland pointed out to Brooklyn District Attorney Lindsay Gerdes that his client could not possibly be in two places at the same time, and look, here is the evidence on Facebook that he was sitting at the computer at his father’s place. The DA subpoenaed Facebook to verify the location where the status update was made from, Facebook verified it, and the charges were dropped.

The Facebook Kids Facebook page.

Facebook Magic

The district attorney subpoenaed Facebook to verify that the status update had actually been typed from 
a computer located at 71 West 118th Street in Harlem.

Source: NY Times

“Facebook saved my son.” Ernestine Bradford

The above is interesting. It is interesting because there is no way Facebook could tell with certainty that an update was made from the computer at 71 West 118th Street. In fact they could only reasonably make such an educated guess through forensic evaluation of the computer in Harlem itself. They didn’t do that, they looked at their own information (likely some combination of site cookies read and web server logs) and decided that the update came from there. While IP (internet protocol) addresses used from the home are not technically static, they can remain the same assignment for days from an ISP providing cable, FIOS, or similar. So Facebook can say that the IP address of the party making the request to its web servers is the same as previous accesses and can approximate the geo-location of the IP. That assumes no use of a proxy or anonymizer.

Technologists Lurking in the NYT Comments

The comments from NY Times blog readers are telling. While some are ridiculous – he probably just used his phone to make the update (the phone browsers can usually be fingerprinted in the web server logs, the IP would show a phone network)- some are legitimate. Why couldn’t a friend have updated Facebook for him, maybe he used RDP to login (its built into Windows XP, just needs to be enabled), maybe VNC, maybe an SSH tunnel, and so on are all listed possibliities.

“This was just a very strong alibi…It reflects the pervasiveness that Web sites and social networking has on our lives.”
Bradford’s lawyer, Robert Reuland

The problem (for a non-technical user) with VNC or RDP is that they need to be installed on most phones, and the SSH tunnel while not complicated would not be a readily available option to a non-computer literate person. RDP is on Windows XP, but it would have to be enabled, and his lawyer is telling us that his client is not a computer guy. The friend updating Facebook? That’s low tech and easy, but for my money I don’t want to involve any extra parties, collusion makes crime harder.

The Perfect Crime

So now that I know I can invoke the Facebook defense, how do I want to approach it? Let’s say I decide I want to knock over a liquor store. I have my mask and so forth, but I also want to establish my alibi, that I was 30 miles away at my computer doing some social networking on Facebook. I could get in remotely from my mobile device (VNC, RDP, etc.) but I don’t want to be worrying about that while I’m emptying the register. As I mentioned before, my buddies can’t keep a secret, so I’m not letting them update Facebook either.

So I started with the following PHP script using curl (JD McCloud, python guru, is groaning at the desk next to me over the use of PHP). I fired up WebScarab, the great intercepting proxy from OWASP, the Open Web Application Security Project, and captured the full HTTP header that is part of a Facebook status update request. Snagging the request URL, Facebook cookies, and POST options sent with the request, I setup the PHP script below to essentially replay a Facebook status update request.

Note that I’ve removed the content specific to my profile. I don’t have the script logging in to Facebook. If I needed to I would have, but fortunately Facebook has a “Keep me logged in” radial button on its homepage, so I didn’t bother.

<?php

$ch = curl_init();
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5)
 Gecko/20091102 Firefox/3.5.5 (.NET CLR 3.5.30729)");

curl_setopt($ch, CURLOPT_COOKIE, 'datr=; s_vsn_facebookpoc_1=; __utma=; __utmz=.utmccn=
(referral)|utmcsr=|utmcct=|utmcmd=; s_vsn_facebookpocads_1=; locale=en_US; __qca=; x-referer=; 
cur_max_lag=; lsd=; h_user=; __utmc=; c_user=; lxe=; lxr=; sid=; xs=; presence=');

curl_setopt($ch, CURLOPT_POSTFIELDS,'action=PROFILE_UPDATE&profile_id=&status=I said where are my 
pancakes!&target_id=&app_id=&&composer_id=&display_context=profile&post_form_id=&fb_dtsg=&
_log_display_context=profile&ajax_log=1&post_form_id_source=AsyncRequest&__a=1');

curl_setopt($ch, CURLOPT_URL, 'http://www.facebook.com:80/ajax/updatestatus.php');
curl_exec($ch);
?>

Now I just add a Scheduled Task (Programs > Accessories > System Tools > Scheduled Tasks) or use At to run the program at the time I’m scheduled to do the stick up, and I’m all set. Facebook will note dutifully that a status update request came to them using the FireFox browser from an IP roughly around where I claimed to be. As long as no one actually checks my PC…

Oh C’mon Now

Yes I know what you’re thinking. I said that accessing the PC remotely was probably too complex (in reality I have no idea) for Mr. Bradford, and now I’m pitching writing scripts. I agree, if you are not a computer person, this would be out of reach. So how about another approach?

CoSripter, now owned by IBM, is pretty non-technical. Download a Firefox plugin, record your activities as you login to Facebook and update your status, and save the script that is generated. And if a person can’t follow those instructions, they can always watch the video tutorial. Here is the script that is automatically generated as I go through a login and status update on Facebook:

    * go to “http://www.facebook.com/index.php”
    * pause 3600 seconds
    * enter your “e-mail address” into the “Email” textbox
    * enter your password into the “Keep me logged in Forgot your password?” textbox
    * click the “Login” button
    * click the “Profile” link
    * enter "I said where the hell are my pancakes" in the “What’s on your mind?” textbox
    * click the first “Share” button

Its fairly easy to see what we’re doing above, I’ve set up variable names for my e-mail and password, but even that is very straight forward, and its only if you want to protect your credentials. Since you have recorded everything that generates the script, you only have to do one manual change, the line “pause 3600 seconds”. Remember, my robbery is 30 miles away, so I’m running my script, but giving myself an hour to get myself over to the liquor store. At exactly one hour from the time I kicked this off in Firefox I’m grabbing twenties from the tray and Facebook is seeing an update from FireFox in their logs for user “me” with the status update above. Facebook dutifully reports that I couldn’t have committed the robbery, I was still wondering where my pancakes where.

Facebook et al. and the Law

As social networking has taken hold as a cultural phenomenon, so too will its use in the proceedings of the legal system. There have been other uses of Facebook and other social networking sites in legal proceedings that have a great deal more legitimacy. There is the jackass in Pennsylvania who checked his Facebook status during a robbery on the victim’s computer and left the page open. There’s the Indiana murder case where a MySpace description was used as character evidence. The things people write online can be used against them in employment or divorce cases.

But with all that said, nativity with social networking tools like Facebook must not be misinterpreted as an actual understanding of the way web applications and computers work. I hope Facebook with their technical understanding of the boundaries of their network responded to that subpoena with a voluminous explanation that what they were providing was in fact proof of very little, proof only that their web servers had received a request looking like this at a certain time. I hope that Robert Reuland is the only defense attorney who is able to pull a fast one (exactly what he is paid to do) presenting Facebook status updates as forensically sound and acceptable evidence of a person’s location. Finally, I hope Mr. Bradford gets his pancakes.

What’s your approach?

There are plenty of other ways to approach this, and thus go on a consequences free international crime spree thanks to Facebook. How are you going to approach it?

Update

Bradford hired a civil attorney, Herbert L. Schmell, who says that they’re “99.9 percent sure” that they will sue the city for a false arrest/imprisonment.

References

• His Facebook Status Now? ‘Charges Dropped’
• Facebook alibi saves jailed teen

Related Posts:

• The “Aurora” IE Exploit Used Against Google in Action
• Scareware Purveyors, Spammers, and Crooks Take Advantage of Haiti Earthquake
• Baidu.com the Latest Victim of Iranian CyberArmy
• JUNOS (Juniper) Flaw Exposes Core Routers to Kernel Crash
• Forensics: Beverages Aside, A Look at Incident Response Tools

Meet Faith...or Emily...or...the face of the new Facebook attack

On Thursday morning, AVG researcher Roger Thompson, after sourcing some spyware attacks to a series of Facebook profiles, noted that these few hundred profiles were showing up with the same profile image (seen at left) but different profile information. The home video link on these profiles, belonging to Faith / Emily / whoever, points to the a web site that displays scareware dialogs: netmedtest.com/index.php?affid=30500.

Clicking the video url opens up a browser dialog box suggesting the user has viruses on their PC, suggests a system’s check and opens up a scareware dialog. Scareware is software sold or downloaded via creating a perception on the part of the user of a usually non-existent threat to the user that is typically non-functional or malicious.

The URL itself is registered to accounts with temporary or throw away e-mail addresses, amusingly these services like spambob and mailinator that were intended to help uses avoid spam are used by bad actors as the registration and contact e-mails for registering malicious web site URL’s. The site netmedtest is hosted in Haifa, Israel.

The Profile

The fake profile with video link.

If you click the video link, you get this dialog.

And after that, you get this dialog.

Facebook’s Response

Facebook spokesman Simon Axten notes that Facebook is in the process of identifying the fake accounts so they can be disabled en masse. The actual URL used to serve the spyware has been blocked by Facebook as well as the major web browsers already.

A Failure of CAPTCHA

The fact that there are a couple of hundred of these profile pages could suggest an automated setup of the accounts, which would mean a bypass of the CAPTCHA authentication used in account setup on Facebook. Facebook uses reCAPTCHA specifically (a free service that is digitizing the NY Times at the same time they are validating that the user is actually human).

Facebook CAPTCHA screen example.

CAPTCHA mechanisms have increasingly been compromised by both automated programmatic means such as the method used to break Google’s CAPTCHA, as well as through manual means where human interaction is used to solve CAPTCHA images (cheap sources of labor spend the day typing in CAPTCHA responses). Given that the fake profiles number in the hundreds, either method is realistically plausible. Facebook’s spokesperson indicates that they believe it is the second case: “Based on our investigation and the relatively small number of accounts created, we’re almost certain that they were created manually, rather than by a bot.”

At the time of writing this example bogus profile of Faith Price is still available on Facebook: http://www.facebook.com/people/Faith-Price/100000305282922.

Countermeasures

As previously stated, the major browsers have picked up the malicious link and are blocking it, and Facebook is aware of the problem, so for most users this is not a major issue at this point. As always, note that legitimate anti-virus companies will not advertise to you using scareware tactics and avoid clicking on links provided by persons you do not know. In general avoid drive by downloads by not surfing the web with a user account that has administrative privileges.

References

• AVG Blogs – Roger Thompson
• What is ReCAPTCHA?
• Facebook Captchas broken?

Related Posts:

• Persistent XSS on Twitter.com
• iPhone 4 Ordering and Session Switching
• May’s Patch Tuesday
• March’s Patch Tuesday
• Press F1 for Help, pwned.