Sunday, August 29, 2010

NINGA, please!

NING is a popular social network community created by internet pioneer, and Netscape founder Marc Andreessen that allows users to create custom social networks similar to Facebook. NING currently host hundreds of thousands of social networks which includes (but is not limited to) websites belonging to the likes of Tyra Banks, Ellen Degeneres, 50 Cent, Meg Whitman, Enrique Iglesias, Kid Rock, Linkin Park, Jay-Z, and many many more.

Recently, after joining a NING powered community I noticed that the functionality of the NING framework seemed to be a bit buggy. I first became aware of this after accidentally typing a set of double quotes into the member search, and realizing by the broken HTML, that a core component of NING seemed to be vulnerable to a simple Cross Site Scripting issue. Unfortunately, XSS bugs are fairly common, but can be especially problematic on community driven websites that rely on cookie based authentication, or have no CSRF protection.

After realizing there were some substantial problems I started to look around the site a bit more, and noticed that NING has user application functionality similar to most social networking websites. Also, NING allows the loading of unrecognized apps via a XML file located via a remote URL. NING apps are basically a combination of HTML, and JavaScript wrapped up within an XML file, so JavaScript execution within the context of a victim's browser is trivial.


This seems to be fairly unsafe at first glance, but applications are hosted on a completely different domain as a means to prevent cross domain based scripting attacks. However, if an attacker has an XSS bug available to them, cross domain policy usually becomes trivial to bypass, as seen in the images below.

Since a users apps are displayed within a page accessed via their public profile writing a NING social network based malware seems trivial at this point, and to make matters even worse the CSRF protection token "xg_token" simply does not work. (This point would be moot anyway due to the XSS bugs) It is also worth  mentioning that if an attacker wanted to write a really nasty piece of malware that would take over accounts, it would be fairly easy due to a flaw in NING that allows for a password to be updated without knowing the original, as seen below; and once an attacker knows the password updating the core account settings becomes possible too.

The end result of my research is a simple NING application based, self replicating malware named NINGA. This application is simply a proof of concept, and only seeks to spread itself. However, just about any action you can imagine would be possible such as mass messaging, data harvesting, account hijacking, and much more.

Unfortunately, there is no public bug reporting interface that I am aware of, and NING also seems to not have a security contact, (though, attempts were made to email  so these issues are still present. Hopefully, someone from the NING development team will see this and work on resolving the multiple security issues affecting NING networks, before someone takes the time to write a more complex piece of malware that is created for nefarious purposes.

Download NINGA source

DISCLAIMER: All research was conducted using two test accounts that I created, and any malware created was protected by an ACL to prevent anyone except myself from being able to load the malicious application. This research was conducted for academic purposes only!

Tuesday, August 24, 2010

Facebook Information Leakage ... Again

Recently there was an issue with the way Facebook handles the privacy of basic user information. The problem was, that if an individual logged in with the correct email, but incorrect password, a page would be displayed that contained the name, and image of the profile corresponding to the submitted email address. This of course is a bad thing, especially for people who have really locked their Facebook profiles down, and expect the previously mentioned information to remain private.

Unfortunately, after a few minutes of poking around to see if the issue was properly resolved I was able to find an almost identical issue within the core of the Facebook "Friend Finder" feature that allows an attacker to correlate not only email addresses to private profiles, but IM Handles as well. In order to take advantage of this information leak, all an attacker needs to do is follow these simple steps.
1. Navigate to the Facebook "Friend Finder" feature.

2.  Click the "Upload Contact File" option in order to access the file upload prompt (Other contact import features work as well. i.e. Import from webmail contacts, and even import IM Contacts).

3. Upload a contact file of ANY of the accepted formats that contains a list of email addresses that you would like to enumerate.

4. If the account is not viewable due to privacy settings then you will be presented with a page like the one shown in the following image. Select the target email(s), and click "Invite to Join.

5. If the email you are targeting DOES have a restricted Facebook profile then an email invite will not be sent, and a page like the following will be visible, which contains a link to the Facebook profile associated with the target email address to be enumerated.

As previously mentioned, the "Friend Finder" feature can also be abused via other vectors as well, to leak user information such as IM Handles (AIM, MSN, ICQ, etc.) as seen in the image below.

Even though these issues that I point out here are new, privacy leaks are nothing new at all to Facebook, and will likely be an issue for the foreseeable future.

UPDATE:  Facebook has since corrected these issues. Also, thanks to Blogger for an epic fail, and locking my blog for no reason the day I created this article. I truly appreciate that guys; and it only took you two days to realize you noobed it up, I'm impressed.