Arul Kumar, a 21 year old electronics & communication engineer from Tamil Nadu, India, recently discovered a critical bug in Facebook that permits the attacker to delete any photo from Facebook without user interaction.
Initially, the Facebook security staff was unable to verify this vulnerability. After sending them a video recording of his proof of concept, the Facebook team acknowledged his finding. In that Video Mr. Kumar exploited Mark Zuckerberg’s account, creating a deletion request link for one of Mr. Zukerberg’s photos.
So, what use is this example to the Financial Services technical community?
Mr. Kumar took advantage of a commonly-identified vulnerability in web and mobile applications. He manually modified two parameters upon which Facebook servers would take critical actions. This particular injection attack modified Facebook’s ‘Photo_id‘ & ‘Profile_id‘ parameters.
Apparently, Facebook applications simply trusted these inputs from what were clearly untrustworthy endpoints.
Remember, applications must never trust user input. Developers can remember this using the phrase “all input is evil.” User input needs some level of sanity-checking — generally called input validation. The Open Web Application Security Project (OWASP) Top 10 refers to this as its #1 vulnerability — ‘Injection’ at https://www.owasp.org/index.php/Top_10_2013-A1-Injection.
Because this attack also allowed an attacker to perform the deletion of other’s content, Facebook access controls were also vulnerable to abuse. This vulnerability and approaches to dealing with is are also outlined in OWASP #7, https://www.owasp.org/index.php/Top_10_2013-A7-Missing_Function_Level_Access_Control.
All Financial Services applications, even those shiny new mobile apps need to safety-check user input. Applications also need to verify that access to functionality is granted only to those to whom it has been explicitly granted.
This work is a clear candidate for integration into your application security program. Use it to show how creative individuals are able to exploit any and all input & access control vulnerabilities in your applications. Any Financial Security organization could ignore such well organized and clearly stated work at their peril.
I also strongly recommend using OWASP resources. They are free and easy to understand. They include mature high level guidance as well as help for designers and developers.
“Delete any Photo from Facebook by Exploiting Support Dashboard.” by Arul Kumar
Open Web Application Security Project (OWASP) Top 10
Top 10 2013-A1-Injection
Top 10 2013-A7-Missing Function Level Access Control