Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Security Facebook Privacy Social Networks

Huge Vulnerabilities In Facebook Chat and Messenger Exploitable With Basic HTML (helpnetsecurity.com) 40

Posted by msmash from the security-woes dept.
An anonymous reader writes: Check Point's security research team has discovered vulnerabilities in Facebook's standard online Chat function, as well as Messenger app. The vulnerabilities, if exploited, would allow anyone to essentially take control of any message sent by Chat or Messenger, modify its contents, distribute malware and even insert automation techniques to outsmart security defences. To exploit the vulnerability, an attacker simply needed to identify the unique ID for the sent message he or she is targeting.According to the report, Facebook, in conjunction with Check Point's researchers, patched the vulnerability earlier this month.
This discussion has been archived. No new comments can be posted.

Huge Vulnerabilities In Facebook Chat and Messenger Exploitable With Basic HTML More

Huge Vulnerabilities In Facebook Chat and Messenger Exploitable With Basic HTML

Comments Filter:

  • After all these years... (Score:4, Funny)

    by __aaclcg7560 ( 824291 ) on Tuesday June 07, 2016 @10:51AM (#52267307)
    You would think that the <blink> element was no longer a security threat.

  • How do you get the unique ID? (Score:5, Interesting)

    by bluefoxlucid ( 723572 ) on Tuesday June 07, 2016 @11:07AM (#52267411) Homepage Journal

    How do you identify the unique ID of the message? If the message is sent to you (or a group including you), I guess that works. How else?

    If message unique IDs are cryptographically secure--if they're 128-bit random GUIDs from a strong entropy source--then this is like saying an attacker only needs the unique private key to hijack Verisign. If they're akin to the ObjectID in MongoDB--datestamp, machine, process, and 24-bit random counter--then we can go fishing. If the ID is discoverable only by being the logged-in user, then you need a browser-end hijack or a TLS-breaking MITM, in which case there are any number of ways to invisibly send messages and not send messages the user types.

    • 128 bits ain't necessarily 128 bits. Just giving me the bit depth of your key without telling me what kind of cipher, if any, you want to feed it to does not tell me anything about the security of your implementation.

      128 bits when all I have to do to find out whether I have the right 128 bits is to send a request with those 128 bits (potentially base64 encoded to get them transferred) and get a response, these 128 bits are rather trivial to crack. If I have to take the 128 bit value and do a complex computa

      • Re: (Score:1)

        by Anonymous Coward

        Ugh.

        No.

        Symmetric and Asymmetric crypto are different. In asymmetric crypto everybody has one of the keys (the public key, hence public key cryptography), and the size of the key controls how hard it would be to figure out the corresponding private key but so does the algorithm used. So yes, key lengths with the same security in RSA and EC will be different.

        But with symmetric crypto the keys are _secret_. Short of a break, key length determines how many possible keys a bad guy has to try before they find you

      • Re:How do you get the unique ID? (Score:4, Informative)

        by bluefoxlucid ( 723572 ) on Tuesday June 07, 2016 @12:28PM (#52268003) Homepage Journal

        128 bits when all I have to do to find out whether I have the right 128 bits is to send a request with those 128 bits (potentially base64 encoded to get them transferred) and get a response, these 128 bits are rather trivial to crack.

        If you use a 3GHz CPU to INC from 0 to 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF (128 bits) at 1 cycle per INC, 3 billion increments per second, directly in register memory, it would take 3,600,000,000,000,000,000,000 years to count. The universe is 13,772,000,000 years old. That's 260,000,000,000 times the current age of the universe--19 times the square of the age of the universe.

        How trivial is trivial?

        • If you use a 3GHz CPU to INC from 0 to 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF (128 bits) at 1 cycle per INC, 3 billion increments per second, directly in register memory, it would take 3,600,000,000,000,000,000,000 years to count. The universe is 13,772,000,000 years old. That's 260,000,000,000 times the current age of the universe--19 times the square of the age of the universe.

          So you're saying I'd need two computers to crack it??

          • There are approximately 2 billion computers in operation on the planet Earth today.

            If you utilized the full processing power of all 2 billion of those computers, you could count from 1 to 2^128 in 1,790,000,000,000 years or 130 times the age of the universe, assuming single-CPU operation. With an average of 6 execution units (6 core) per computer, the iteration can be completed in 298,000,000,000 years or 22 times the current age of the universe.

            That's strictly iterating at maximum speed; this excludes

            • With an average of 6 execution units (6 core) per computer, the iteration can be completed in 298,000,000,000 years or 22 times the current age of the universe.

              Okay, wait, so we're up to three computers now?? I'm not sure I have that many power outlets in my room.

  • Choppa four reporting - huge chemical fire downtown this morning, smoke can be seen for miles, massive flames and explosions In other news, local firefighters and teams from surrounding counties put out the fire last week....
  • It has been seen many times that big websites have huge holes in their security. I believe they can fix everything as there are millions of users who use facebook everyday.

  • If you only give half a shit about your privacy and you're using anything that as much as touches Facebook, you're doing it wrong.

    With exploit, without exploit, the difference matters only to Facebook, i.e. whether they have to share your private data with someone else. To you, the difference is negligible.

  • Messenger and Payments? (Score:5, Insightful)

    by JimMcc ( 31079 ) on Tuesday June 07, 2016 @11:28AM (#52267533) Homepage

    And Facebook wants to use the messenger app to send payments? If they have this much trouble with basic security over social chatting, why should we trust them to handle payment processing? If you can't do the simple things right, you certainly can't be expected to successfully accomplish the difficult things.

  • Node and REST? (Score:3, Insightful)

    by clifwlkr ( 614327 ) on Tuesday June 07, 2016 @11:52AM (#52267705)
    This is what you get when you hire a bunch of developers doing straight RESTful interfaces on top of MongoDB having no idea what they are actually doing. I am amazed at the lack of security I see in most of the software developed these days, and while RESTful can be a great approach, people also need to realize how open and easy to abuse it really is.

    It really is funny how all of these things we solved ages ago are having to be redone because now we have a new platform that doesn't just give you all of this built in. Hopefully the node level javascript developers can be taught the importance of actual security and designing an enterprise/internet level system and what that means, but with trends like 'microservices' being the rage, I somehow doubt that.

    This is the difference between being a programmer, and being an engineer.

    Rant off....
  • HTTP requests are not HTML code.

  • This is why..... (Score:3)

    by TheCarp ( 96830 ) <sjc.carpanet@net> on Tuesday June 07, 2016 @01:26PM (#52268461) Homepage

    This is why the moment I got my new phone I started disabling things. This is why the moment I saw that half the apps on my phone wanted permission to use the camera and microphone, all but 4 of them got denied that going forward.

    I garauntee you facebook apps have these permissions and don't need them. The camera app takes photos, camera access is not even needed to access already stored photos....its off.

    • This is why the moment I got my new phone I started disabling things. . . .The camera app takes photos, camera access is not even needed to access already stored photos....its off.

      Here's the thing, though- you unchecked the box revoking its permissions, but is it really off? How would we really know without being able to audit or examine the code?

      For all we know, turning off the permissions may just put it in "extra sneaky" mode. Honestly, given the current predatory and exploitative nature of advertising, this wouldn't surprise me a bit.

      • Re: (Score:3)

        by TheCarp ( 96830 )

        Anyone who has read Reflections on Trusting Trust should, of course, be able to ask that question and answer it. Of course its possible, but who are you going to trust?

        Fact is, this program exists, and is exploitable. *IF* we trust that the permissions work, then we can conclude that leaving them open leaves an explotable program open to misusing them at the request of a person who exploits it.

        By turning off this permission, I can hope that this attempt will fail, and even expect it will. I can't say with a

  • I can hardly believe this- I mean, Facebook has always had such a spotless record when it comes to security!

    • Re: (Score:1)

      by bahrdo ( 4474519 )

      But... But... they held hacking competitions to find the best hackers to hire. How can their security be bad?

Slashdot Top Deals

Get hold of portable property. -- Charles Dickens, "Great Expectations"

Close