There are many unpatched loopholes or flaws in Facebook website, that allow hackers to inject external links or images to a wall, hijacking any facebook account or bypassing your social privacy. Today we are going to report about another unfixed facebook app vulnerability that allow a hacker to spoof the content of any Facebook app easily.
Nir Goldshlager from Break Security today exposed another major flaw that allows hacker to wall post spoofed messages from trusted applications like Saavn, Candy Crush, Spotify, Pinterest, or really any other application on Facebook.
In 2012 Facebook's method of publishing called stream.publish and the Stream Publish Dialog looks like the following:
Where app_id and attachment (swfsr,imgsrc,href) parameters can be targeted by hackers i.e using app_id value as application ID of any application you want to spoof (Saavn, Spotify, etc.) and an attacker must produce attachment parameters like swfrsc and imgsrc.
If the "Stream post URL security" option is disabled by the developer of that application, hacker can use any remotely uploaded swf file as attachment parameter.
"every time a victim visits my wall post, they will see content spoofing from a Facebook application that they generally trust. Clicking the link on the post makes an swf file from the external website execute on his client machine." Nir said.
But in 2013, Facebook changed the mechanism of stream.publish posting and introduced new parameters as explained below:
Few examples as given below:
Diamond Dash: https://www.facebook.com/dialog/feed?app_id=127995567256931&link=http://nmap.org/dist/nmap-6.20BETA1-setup.exe&picture=http://www.topandroidapplication.com/wp-content/uploads/2013/04/diamond-dash.png&name=Diamond%20Dash%20For%20Windows&%20caption=http://facebook.com&description=&%20redirect_uri=https://facebook.com
Skype: https://www.facebook.com/dialog/feed?app_id=260273468396&link= https://touch.facebook.com/apps/sdfsdsdsgs &picture=http://he.downloadastro.com/static/files/24/3b/29/243b29a6163cc99e359f4c354422f238.jpg&name=Download%20Skype%20New%20Version&%20caption=http://skype.com&description=&%20redirect_uri=https://facebook.com
Spoofing the parameters again allowing one to spoof the content of any Facebook app and flaw is still unpatched. This techniques can be widely used by cyber crooks to social engineer facebook users or to install malwares on their systems.