Researchers at Symantec have uncovered a way to fool Facebook users into defeating the social network’s defense against cross-site request forgery attacks.
Known as CSRF for short, cross-site request forgery attacks are a type of attack where the attackers use an authenticated session on a Website to perform unauthorized actions on the site. Guarding against these attacks are Anti-CSRF tokens, which are typically random, unique tokens generated by the Website. In order to generate a CSRF token, the attackers have to figure out the Anti-CSRF token, which in turn makes the attacks harder to execute.
As a result of the CSRF attack, a malicious link is posted on the victim’s Facebook page using the stolen token, potentially further propagating the attack.
Facebook spokesperson Frederic Wolens told SecurityWeek that engineers have been working to deal with the problem of Anti-CSRF token hijacking by adding enforcement mechanisms to shutdown malicious pages and fake accounts. In addition, Facebook has also been working with browser vendors to “ensure their features are not being maliciously exploited.”
In addition to the CSRF attack, Facebook security was also put under the lens recently when security researcher Nathan Power discovered a way to upload executables to Facebook. Essentially, he uncovered a bug that enabled him to send a Facebook message with an attachment. Facebook downplayed the attack however, noting the Messages feature does not rely solely on string matching to detect potentially malicious files but also has antivirus protection scanning every message. Power’s attack, as demonstrated, would only allow one user to send an obfuscated renamed file to another user, but would not automatically execute on the recipient’s machine.
This means that just like with the Anti-CSRF token stealing scheme success for the attacker relies on social engineering.
“Educating users is one of the primary tools to combat social engineering attacks,” said Ben Greenbaum, senior research manager for Symantec Security Response. “Users should be taught what to watch out for and to avoid divulging any potentially sensitive information online.”