Facebook's URL Scanner Vulnerable To Cloaking Attack

← Back to Stories (view on slashdot.org)

Facebook's URL Scanner Vulnerable To Cloaking Attack

Posted by timothy on Saturday October 8, 2011 @09:45AM from the spy-vs-jerk dept.

Facebook's recent move to scan for malicious URLs sounded like a pretty good idea, but itwbennett writes with word that it's already been bypassed.'Hatter,' a member of hacking think-tank Blackhat Academy, provided a live demonstration, which involved posting the URL to a JPEG file on a wall. Facebook crawled the URL and added a thumbnail image to the wall post, however, clicking on its corresponding link actually redirected users to YouTube. This happened because the destination page was able to identify Facebook's original request and served a JPEG file. Earlier this week, Facebook signed a partnership with Websense to use the security vendor's cloud-based, real-time Web scanner for malicious URL detection. Blackhat Academy has now provided proof-of-concept code, which, according to its advisory, can be used to bypass it."

8 of 34 comments (clear)

Min score:

Reason:

Sort:

Re:First Post by AliasMarlowe · 2011-10-08 10:02 · Score: 3, Funny

Let me guess - you work as a web programmer for Facebook?

--
Those who can make you believe absurdities can make you commit atrocities. - Voltaire
Irrelevant by Sqr(twg) · 2011-10-08 10:31 · Score: 2

Yes, they managed to get facebook to use their image for a thumbnail. That says absolutely nothing about their ability to detect malicious links. (Rickrolling is not considerered a malicious link in this context.) The request for the thumbnail probably originated from facebook's own servers. The malicious link detection is comes from other IP addresses. TFA explains this.
Raising money for security research company by Anonymous Coward · 2011-10-08 10:56 · Score: 2, Funny

Guys, I've discovered that if you do
if ($certainUserAgent) { print 'Something; } else { print 'Something else'; }
I'm going to start a security company, is anybody interested in hiring researchers for their operations. Corporate contracts start at $100,000.
OMG! by Kaz+Kylheku · 2011-10-08 11:20 · Score: 2

You mean URL's can be verified, and then later have the indecency to point to something else?
Say it isn't so!
Re:Irrelevant - You can use META TAGS! by duguk · 2011-10-08 12:55 · Score: 2

Well I hope TFA explains it better than TFS.

This happened because the destination page was able to identify Facebook's original request and served a JPEG file.
Lets see, click a thumbnail, got to the third party server, which does whatever the hell it wants to with your request. Welcome to the intertubes.
I also fail to see why this is a problem.

You can set the thumbnail with the "link rel='image_src'" tags!
Along with the title and description...

No need for any server side code; its all documented on OpenGraph.
Must be... by ChinggisK · 2011-10-08 13:11 · Score: 2

Romulans!
I'm not saying it's aliens by symbolset · 2011-10-08 15:55 · Score: 2

But it's aliens.

--
Help stamp out iliturcy.
Wrong Build by TemperedAlchemist · 2011-10-08 17:39 · Score: 2

Facebook should've constructed a comsat scanner, not a URL scanner.
Silly facebook.