Students thwart Facebook threat

Two doctoral students in the IU School of Informatics and Computing discovered a Facebook security vulnerability that allows malicious websites to access a user’s personal information without permission. Facebook repaired the problem within a few hours of its notification.

Rui Wang and Zhou Li discovered the vulnerability in the middle of January and studied the problem for a couple weeks before notifying Facebook.

Wang and Li are security researchers who study different web systems to find security problems.

“Facebook is one of our interests because it has 500 million people’s real data, and any leak of such data can be critical to the users,” Wang said. “We tried to look into the details of communication among Facebook, the user and the website by reading and debugging the JavaScript codes loaded to the browser line by line. By assuming that the website is malicious, we finally figured out that the website is able to steal the user’s data and post bogus messages on behalf of the user through impersonating a legitimate website such as ESPN.”

The vulnerability enabled malicious websites to impersonate legitimate websites and obtain the same Facebook data access permissions that the legitimate advertisers received, Wang said.

If a user informs Facebook of his or her willingness to share information with websites like ESPN or YouTube, Facebook sends an authentication token back to the requestor for identification. The person who has the token can tell Facebook who they are and then gain access to the data.

“We documented it and confirmed that indeed it can happen. We reported to Facebook with all the details and suggestions on how to fix it,” he said.

The problem was fixed in early February after Facebook officials received a message from Wang and Li notifying them of the problem.

“We’re not aware of any cases in which it was used maliciously,” Facebook officials said in an IU press release.  “We thank the researchers at Indiana University for bringing this to our attention, and for demonstrating the value of responsible disclosure.”

The vulnerability affects any user with a valid Facebook account, because the user loses anonymity and privacy to any website, Wang said.

“My first impression was that this is clearly a problem, and it was serious as it allowed malicious websites to do a lot of things,” Wang said.

Facebook allows some websites like Microsoft to directly access a user’s public data without explicit consent because of a contract between Facebook and Microsoft, Wang said.

The Ph.D. students worked with associate professor Xiaofeng Wang and Shuo Chen, a researcher in Microsoft Research’s Internet Services Research Center.

Li said the discovery was exciting.

“There was a problem with Facebook, and Facebook is a big site and should have strong protection,” he said. “I think this is a good opportunity to propagate IU School of Informatics and Computing, and this impacts students’ daily life.”