Standard Application Attack Vectors Still Viable – Injection and Access Control Vulnerabilities

Arul Kumar, a 21 year old electronics & communication engineer from Tamil Nadu, India, recently discovered a critical bug in Facebook that permits the attacker to delete any photo from Facebook without user interaction.

Initially, the Facebook security staff was unable to verify this vulnerability.  After sending them a video recording of his proof of concept, the Facebook team acknowledged his finding.  In that Video Mr. Kumar exploited Mark Zuckerberg’s account, creating a deletion request link for one of Mr. Zukerberg’s photos.

So, what use is this example to the Financial Services technical community?

Mr. Kumar took advantage of a commonly-identified vulnerability in web and mobile applications.  He manually modified two parameters upon which Facebook servers would take critical actions. This particular injection attack modified Facebook’s ‘Photo_id‘ & ‘Profile_id‘ parameters.

Apparently, Facebook applications simply trusted these inputs from what were clearly untrustworthy endpoints.

Remember, applications must never trust user input.  Developers can remember this using the phrase “all input is evil.”  User input needs some level of sanity-checking — generally called input validation.  The Open Web Application Security Project (OWASP) Top 10 refers to this as its #1 vulnerability — ‘Injection’ at https://www.owasp.org/index.php/Top_10_2013-A1-Injection.

Because this attack also allowed an attacker to perform the deletion of other’s content, Facebook access controls were also vulnerable to abuse. This vulnerability and approaches to dealing with is are also outlined in OWASP #7, https://www.owasp.org/index.php/Top_10_2013-A7-Missing_Function_Level_Access_Control.

All Financial Services applications, even those shiny new mobile apps need to safety-check user input.  Applications also need to verify that access to functionality is granted only to those to whom it has been explicitly granted.

This work is a clear candidate for integration into your application security program.  Use it to show how creative individuals are able to exploit any and all input & access control vulnerabilities in your applications.  Any Financial Security organization could ignore such well organized and clearly stated work at their peril.

I also strongly recommend using OWASP resources.  They are free and easy to understand.  They include mature high level guidance as well as help for designers and developers.

REFERENCES:

“Delete any Photo from Facebook by Exploiting Support Dashboard.” by Arul Kumar
http://arulxtronix.blogspot.in/2013/09/delete-any-photo-from-facebook-by.html

Open Web Application Security Project (OWASP) Top 10
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

Top 10 2013-A1-Injection
https://www.owasp.org/index.php/Top_10_2013-A1-Injection

Top 10 2013-A7-Missing Function Level Access Control
https://www.owasp.org/index.php/Top_10_2013-A7-Missing_Function_Level_Access_Control

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: