Recently, Roger Thompson, chief research officer at security firm AVG, discovered over half a dozen Facebook applications that had been compromised by malicious hackers. Although the apps’ reach was small with relatively few users being affected, Thompson was concerned because it was the first time he had seen apps themselves hacked as opposed to something like Facebook profile pages, a common target for the still-spreading Koobface worm.
While this incident alone wouldn’t generate much excitement given the low-profile nature of the applications affected, it’s not the only example of unsafe applications on Facebook. Another researcher just spent an entire month scouring Facebook apps for security vulnerabilities and what he found is disturbing: six of the hacked apps were in the top ten, 9700 applications were affected, and the potential victims totaled 218 million users.
Hacked Apps Found Forcing Malicious Software on Users
In the case of the hacked Facebook apps found by AVG, the apps had been compromised by the use of “iframes,” which are bits of code embedded in the applications themselves. The iframes were able to load content from malicious websites into the applications’ pages on Facebook.com, directing app users to install software on their computers by purporting to be an update for an out-of-date Adobe Reader product.
At first, Thompson thought the apps had been hacked by the developers, but as it turned out, it was the developers who were the victims. After looking at the source code for the apps in question, Thompson found that the iframes had been injected into the apps’ code due to infected software on the developers’ PCs.
Facebook quickly reacted to the situation and took down the compromised apps while also contacted the developers to warn them of the issue.
Thousands of Apps Vulnerable to Attacks
While hacked Facebook apps may still be a bit of a rarity today on the popular social network, security vulnerabilities that could lead to malicious attacks are not. After spending a month on Facebook looking for application bugs, another security researcher made some disturbing findings.
Specifically, the researcher, who goes only by the handle “theharmonyguy” online, was looking for a specific vulnerability he referred to as a “FAXX Hack.” FAXX stands for “Facebook Application + XSS + XSRF” or, in other words, a cross-site scripting vulnerability – a certain type of security hole that could allow a hacker to access profile information, including personal details, status updates, and photos of a victimized user and their friends.
The findings showed that many Facebook applications, even those that were widely used and considered trustworthy, lacked basic security precautions. There were some 9700 Facebook applications which were affected by vulnerabilities and nineteen of the applications in question had passed through Facebook’s “Verified Application” program, a sort of “stamp of approval” designed to assure Facebook users of an app’s general trustworthiness. Among the apps, six were ranked in the top ten by monthly active users including FarmVille, Causes, LivingSocial, Movies, Farm Town, and YoVille. The collective monthly active users counts for all the hacked apps totaled 218 million. However, that previous figure does include overlaps. Also, seven of the top ten application developers on Facebook were found to host at least one vulnerable app. (Note: the 9700 number may seem large but that’s due to one vulnerability found in the “Make a Gift!” application. Make a Gift! lets users create their own custom applications for sending gifts, and the myriad of resulting applications are all hosted from the same server.)
While discovering the bugs, the researcher contacted each application developer to make him or her aware of the hole. For the most part, developers responded quickly and took the situation seriously. However, several developers took a while longer to respond. Nine took over a week to patch their application and one even took two weeks. And those delays were not due to the complexity of the required patches – these were, in terms of coding, simple fixes.
What’s most concerning about these findings is how widespread the problem was. Unlike the apps AVG discovered, this wasn’t a minor, isolated incident affecting a small handful of users. Although the apps in question here were just vulnerable to attacks as opposed to being comprised themselves, it shows how risky it is to use any application, Facebook Verified or not.
Is Any App Safe?
On top of all these security issues, in August many Facebook users were surprised to discover the vast amounts of personal information they were revealing by their use of Facebook quizzes. Even if you limit access to your profile through privacy settings, Facebook quiz applications can see everything on your profile page when you take a quiz…or even when your friend takes one. To make matters worse, Facebook does not screen developers for trustworthiness nor do they require developers to comply with a privacy policy.
With hacked apps, security vulnerabilities, lack of privacy policies, and apps that can read your private profile information, one has to wonder if using any Facebook application is appropriate and safe these days.
Update: Facebook’s response: “Developers on Facebook Platform must comply with Platform Policy Guidelines, which require that applications provide a trustworthy user experience. Similarly, applications must post their own privacy policy if they collect any user information. We enforce these guidelines through spot checks and have disabled thousands of apps that we found in violation. We also encourage users to report suspicious apps and practice caution with all of their online activity.”
