Slashdot Mirror

← Back to Stories (view on slashdot.org)

Huge Vulnerabilities In Facebook Chat and Messenger Exploitable With Basic HTML (helpnetsecurity.com)

Posted by msmash on from the security-woes dept.

An anonymous reader writes: Check Point's security research team has discovered vulnerabilities in Facebook's standard online Chat function, as well as Messenger app. The vulnerabilities, if exploited, would allow anyone to essentially take control of any message sent by Chat or Messenger, modify its contents, distribute malware and even insert automation techniques to outsmart security defences. To exploit the vulnerability, an attacker simply needed to identify the unique ID for the sent message he or she is targeting.According to the report, Facebook, in conjunction with Check Point's researchers, patched the vulnerability earlier this month.

24 of 40 comments (clear)

  1. After all these years... by __aaclcg7560 · · Score: 3, Funny

    You would think that the element was no longer a security threat.

  2. Re:No really? by myowntrueself · · Score: 2

    Here I was using Facebook chat for all my super secret communications.

    You must be in ISIS

    --
    In the free world the media isn't government run; the government is media run.
  3. How do you get the unique ID? by bluefoxlucid · · Score: 4, Interesting

    How do you identify the unique ID of the message? If the message is sent to you (or a group including you), I guess that works. How else?

    If message unique IDs are cryptographically secure--if they're 128-bit random GUIDs from a strong entropy source--then this is like saying an attacker only needs the unique private key to hijack Verisign. If they're akin to the ObjectID in MongoDB--datestamp, machine, process, and 24-bit random counter--then we can go fishing. If the ID is discoverable only by being the logged-in user, then you need a browser-end hijack or a TLS-breaking MITM, in which case there are any number of ways to invisibly send messages and not send messages the user types.

    --
    Support my political activism on Patreon.
    1. Re:How do you get the unique ID? by Opportunist · · Score: 1

      128 bits ain't necessarily 128 bits. Just giving me the bit depth of your key without telling me what kind of cipher, if any, you want to feed it to does not tell me anything about the security of your implementation.

      128 bits when all I have to do to find out whether I have the right 128 bits is to send a request with those 128 bits (potentially base64 encoded to get them transferred) and get a response, these 128 bits are rather trivial to crack. If I have to take the 128 bit value and do a complex computation (like in, say ECDH), you have a VERY different and much more complex operation at hand.

      The computational expense differs greatly between different operations on your "bits". A 512bit key in ECDH is as good as 15360 bit RSA/DH according to NIST. (ECRYPT even gave it a security equivalent of 15424bit RSA/DH).

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    2. Re:How do you get the unique ID? by Anonymous Coward · · Score: 1

      Ugh.

      No.

      Symmetric and Asymmetric crypto are different. In asymmetric crypto everybody has one of the keys (the public key, hence public key cryptography), and the size of the key controls how hard it would be to figure out the corresponding private key but so does the algorithm used. So yes, key lengths with the same security in RSA and EC will be different.

      But with symmetric crypto the keys are _secret_. Short of a break, key length determines how many possible keys a bad guy has to try before they find yours. 128-bits is always 128-bits. You need just as many tries (far too many to ever complete) to guess the correct 128-bit AES key as to guess the correct 128-bit Twofish key.

      This scenario requires guessing 128 bits. Imagine you had an impossibly fast computer that can try a billion billion possibilities per second. In fact, a billion people just like you have these impossible computers. And you all want to work together to guess the right one. Too bad it'll take more than 10 000 years.

      Here's a good idea. When you're about to blather about how ECHD vs RSA is important in a thread about guessing 128-bit numbers, just write "Herp, derp, my brain doesn't work too good" and move on.

    3. Re:How do you get the unique ID? by bluefoxlucid · · Score: 3, Informative

      128 bits when all I have to do to find out whether I have the right 128 bits is to send a request with those 128 bits (potentially base64 encoded to get them transferred) and get a response, these 128 bits are rather trivial to crack.

      If you use a 3GHz CPU to INC from 0 to 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF (128 bits) at 1 cycle per INC, 3 billion increments per second, directly in register memory, it would take 3,600,000,000,000,000,000,000 years to count. The universe is 13,772,000,000 years old. That's 260,000,000,000 times the current age of the universe--19 times the square of the age of the universe.

      How trivial is trivial?

      --
      Support my political activism on Patreon.
    4. Re:How do you get the unique ID? by JustAnotherOldGuy · · Score: 1

      If you use a 3GHz CPU to INC from 0 to 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF (128 bits) at 1 cycle per INC, 3 billion increments per second, directly in register memory, it would take 3,600,000,000,000,000,000,000 years to count. The universe is 13,772,000,000 years old. That's 260,000,000,000 times the current age of the universe--19 times the square of the age of the universe.

      So you're saying I'd need two computers to crack it??

      --
      Just cruising through this digital world at 33 1/3 rpm...
    5. Re:How do you get the unique ID? by bluefoxlucid · · Score: 1

      There are approximately 2 billion computers in operation on the planet Earth today.

      If you utilized the full processing power of all 2 billion of those computers, you could count from 1 to 2^128 in 1,790,000,000,000 years or 130 times the age of the universe, assuming single-CPU operation. With an average of 6 execution units (6 core) per computer, the iteration can be completed in 298,000,000,000 years or 22 times the current age of the universe.

      That's strictly iterating at maximum speed; this excludes the time to make network tests or to compute local hashes or encryptions in an attempt to crack passwords or otherwise-obscured information. Such actions require several thousands to several billions times the amount of real-time.

      --
      Support my political activism on Patreon.
    6. Re:How do you get the unique ID? by JustAnotherOldGuy · · Score: 1

      With an average of 6 execution units (6 core) per computer, the iteration can be completed in 298,000,000,000 years or 22 times the current age of the universe.

      Okay, wait, so we're up to three computers now?? I'm not sure I have that many power outlets in my room.

      --
      Just cruising through this digital world at 33 1/3 rpm...
  4. Re:Why do people still use Facebook? by Alain+Williams · · Score: 1

    Most people do not care; if something goes wrong they will find someone else to blame. Neither do they care that their information is being sold.

  5. developers need to fix by Richasolutions · · Score: 1

    It has been seen many times that big websites have huge holes in their security. I believe they can fix everything as there are millions of users who use facebook everyday.

  6. Re: Why do people still use Facebook? by Ralgha · · Score: 1

    I deleted my Facebook account years ago and I don't miss it at all. It's a great tool for companies to exploit consumers though, that's probably its main purpose these days.

  7. Who cares? by Opportunist · · Score: 1

    If you only give half a shit about your privacy and you're using anything that as much as touches Facebook, you're doing it wrong.

    With exploit, without exploit, the difference matters only to Facebook, i.e. whether they have to share your private data with someone else. To you, the difference is negligible.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  8. Re:Why do people still use Facebook? by queBurro · · Score: 2

    basically, it's pubsub for pics of cats and a big kevin-bacon-esque address book of people who want to be found by people they once knew.

    --
    sag
  9. Messenger and Payments? by JimMcc · · Score: 4, Insightful

    And Facebook wants to use the messenger app to send payments? If they have this much trouble with basic security over social chatting, why should we trust them to handle payment processing? If you can't do the simple things right, you certainly can't be expected to successfully accomplish the difficult things.

  10. Re:Why do people still use Facebook? by Anonymous Coward · · Score: 1

    Most people do not care; if something goes wrong they will find someone else to blame. Neither do they care that their information is being sold.

    FB is an excellent disinfo platform. I don't care my disinformation is being sold. It's a feature. ;)

  11. Node and REST? by clifwlkr · · Score: 2, Insightful

    This is what you get when you hire a bunch of developers doing straight RESTful interfaces on top of MongoDB having no idea what they are actually doing. I am amazed at the lack of security I see in most of the software developed these days, and while RESTful can be a great approach, people also need to realize how open and easy to abuse it really is.

    It really is funny how all of these things we solved ages ago are having to be redone because now we have a new platform that doesn't just give you all of this built in. Hopefully the node level javascript developers can be taught the importance of actual security and designing an enterprise/internet level system and what that means, but with trends like 'microservices' being the rage, I somehow doubt that.

    This is the difference between being a programmer, and being an engineer.

    Rant off....

  12. Not HTML, lol by campuscodi · · Score: 1

    HTTP requests are not HTML code.

  13. HTML Chat sucks by sycodon · · Score: 1

    EVERY HTML app I've ever used sucked royally.

    Delays, dropped letters, crashes.

    Barely one step above two tin cans and some string.

    --
    When Fascism comes to America, it will call itself Anti-Fascism, and tell you to give up your guns.
  14. This is why..... by TheCarp · · Score: 2

    This is why the moment I got my new phone I started disabling things. This is why the moment I saw that half the apps on my phone wanted permission to use the camera and microphone, all but 4 of them got denied that going forward.

    I garauntee you facebook apps have these permissions and don't need them. The camera app takes photos, camera access is not even needed to access already stored photos....its off.

    --
    "I opened my eyes, and everything went dark again"
    1. Re:This is why..... by JustAnotherOldGuy · · Score: 1

      This is why the moment I got my new phone I started disabling things. . . .The camera app takes photos, camera access is not even needed to access already stored photos....its off.

      Here's the thing, though- you unchecked the box revoking its permissions, but is it really off? How would we really know without being able to audit or examine the code?

      For all we know, turning off the permissions may just put it in "extra sneaky" mode. Honestly, given the current predatory and exploitative nature of advertising, this wouldn't surprise me a bit.

      --
      Just cruising through this digital world at 33 1/3 rpm...
    2. Re:This is why..... by TheCarp · · Score: 2

      Anyone who has read Reflections on Trusting Trust should, of course, be able to ask that question and answer it. Of course its possible, but who are you going to trust?

      Fact is, this program exists, and is exploitable. *IF* we trust that the permissions work, then we can conclude that leaving them open leaves an explotable program open to misusing them at the request of a person who exploits it.

      By turning off this permission, I can hope that this attempt will fail, and even expect it will. I can't say with any certainty that I know for sure it will, or that it is not circumventable, but.... there are limits to how far down the rabbit hole its useful for me to go if I want to be able to discuss or do anything. At some point the conclusion is either "don't buy a phone" or "accept that I have to trust someone".

      --
      "I opened my eyes, and everything went dark again"
  15. What?? Impossible! by JustAnotherOldGuy · · Score: 1

    I can hardly believe this- I mean, Facebook has always had such a spotless record when it comes to security!

    --
    Just cruising through this digital world at 33 1/3 rpm...
    1. Re:What?? Impossible! by bahrdo · · Score: 1

      But... But... they held hacking competitions to find the best hackers to hire. How can their security be bad?