The Fascination With ToDo Lists Continues »
« FLVIX Free Online Video Converter

Facebook JavaScript and Security

Written by on August 8th, 2007 in Ajax News.

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Neil Mix was skeptical that FBJS could be secure. He then quickly found a couple of holes but didn’t disclose them until he had chatted with the Facefolk.

Neil is publishing the exploits after they are fixed. What a nice white hat he wears:

Facebook Security Hole #1:

The first security hole was the easiest and least interesting hack. It bypasses access control #1 by making use of an old, arcane behavior of the setTimeout method, namely that you can pass a string as the code to execute:

JAVASCRIPT:

  1.  
  2. setTimeout(”alert(’arbitrary JavaScript’)”, 1);
  3.  

Facebook (or more specifically Marcel Laverdet) fixed this by checking the datatype of the first argument to setTimeout

Facebook Security Hole #2

Neil got access to running arbitrary code via the Function constructor.

JAVASCRIPT:

  1.  
  2. var F = (function(){}).constructor;
  3. var exploit = new F(”alert(’arbitrary code’));
  4. exploit();

The fix was simple:

JAVASCRIPT:

  1.  
  2. Function.prototype.constructor = null;
  3.  

Neil has four more in the bag, so hopefully we will see then as soon as Facebook fixes them. It is good to see the community working with Facebook on the issues, instead of just throwing up arms.

Source: Ajaxian
Original Article: http://feeds.feedburner.com/~r/ajaxian/~3/141941277/facebook-javascript-and-security

Leave a Reply

You must be logged in to post a comment.


Site Navigation

Pages

Recently

Archives