XSS using Facebook, Twitter open API – Addition

In the previous post, XSS using Facebook, Twitter open API, I mentioned that open API could be used to XSS on consumer’s web page. But, some people misunderstood it and they asked about it, It is not working on Facebook page, it is working on consumer’s page developed by open API. I posted it to show the bad case of open API and to demonstrate that it can be a threat of service providers and users.

And API were not completely opened to XSS, Service provider’s have adopted the permission model, that separate out each feature based on each permission. A user need to confirm the permission permit at the first access via each feature like login, feed, like and others. (http://developers.facebook.com/docs/reference/login/#permissions)

API Permission of Facebook
API Permission of Yahoo App

But, if a user already permitted the permission of features that the attacker want to use, there is no permission message. So, these status and other information are need to make a payload. It is similar with the development app using API.

I give an example Facebook APIs, but other service providers adopted similar API structures and features. And the effect of XSS is depend on the consumer’s circumstance, but it can be a threat on some environments. The key factor is that many consumer’s pages are not secure to protect from XSS. They should audit their pages and hide the app secret and only grant the minimum permissions.


XSS using Facebook, Twitter open API

Many SNS, App and online service providers are opening APIs that can handle a features of services and be used to expand the business area. Service providers have opened huge documents and samples on various platforms like web, app and mobile for a developer.

For example, Facebook provide APIs that can be applied on Android, iOS and web, and implemented with PHP, Java Script and other language. A developer can use it to connect the login feature with Facebook, feed the messages or apply payment on their app.

But, some APIs can be maliciously used on the developer(consumer)’s services. If a developer implement the feature using open API, it means that the API provider’s data and functions might be controlled via developer’s actions. So, API providers only permit their resources for registered developers to prevent the threat. But, the registered is not exactly mean the secure. If a developer do not have the intention to attack API and provider’s data, but developer’s app could have a vulnerability that can manipulate it. Twitter, Facebook, Google and other large-scale service providers are commonly performing security review and testing for the services. However, the API developer like a web service provider, app developer and individual are not have enough resource and considerations for the secure service.

Some APIs can handle user’s credential, profile and other information. For example, Facebook login API support the developer’s application to use Facebook authorization. The developer’s application can login via the Facebook credential and use the user information of Facebook for their services

If the developer’s application has a XSS vulnerability, the attacker can inject the well-made payload and he is stealing the credential like access token via the boards or pages. The attack can manipulate Facebook features using victim’s access token, such as collecting user’s profile and spreading malicious feeds.

This is my demonstration XSS using Facebook open API. XSS on the consumer’s web page by Login API can be used to steal access_token. XSS payload steal user’s access_token on the consumer’s web page and the attacker is able to feed a message via the stolen access_token.

1. The attacker inject XSS payload into the post of the consumer’s website.

2. Victim read the post with XSS payload and the payload will send the user’s access_token to the attacker’s server

3. The attacker feed the message to the user’s Facebook

I never mention about the detail of payload and tool, but if you see the API documents and if you have experienced API development, you can understand it easily.

[Python] Example for Sending POST request via HTTPS

When you develop a tool to interact with HTTPS server, sometimes you need a code that can sending a POST request via HTTPS. I was searching the best example for my tool, but I couldn’t. So, I made the code referenced POST via HTTP and it works well. I post the sample code.

>>> import httplib, urllib
>>> params = urllib.urlencode({'@number': 12524, '@type': 'issue', '@action': 'show'})
>>> headers = {"Content-type": "application/x-www-form-urlencoded",
              "Accept": "text/plain",
              "Other": "Header"}
>>> conn = httplib.HTTPSConnection("bugs.python.org") # HTTPSConnection instead of HTTPConnection
>>> conn.request("POST", "", params, headers)
>>> response = conn.getresponse()
>>> print response.status, response.reason
>>> data = response.read()
>>> print data
>>> conn.close()

Protect from the Illegal Modified Apps

Android and iOS with Jail Break are able to install apps without going through the formal App Store and Market. Recently, even some ways to install apps without Jail Break were released on iOS. The abnormal app distribution raise some security issues, the threat of malicious modified app and break up of DRM. These issues came from the app manipulation using reverse engineering. If you are searching it using keywords like “android decompiler”, “iOS app modify” or “apktool”, you will find out the many ways to bypass authentication, change the game money and other incredible things.

The attacker is able to distribute the modified apps to steal user’s credentials like a password and token, or manipulate service’s features and processes. For example, on the banking app, the attacker can change the code of login process that the password will send to both of the attacker’s server and the authentication server, or when a user transfer the money to others, receiving account number would be changed into the attacker’s account. The attacker should distribute the app through Black Market, SMS or E-mail.

To protect from the modified app, there are some ways like applying anti-reverse techniques or access control to check the apps’ integrity. Anti-reverse techniques make an app to resist from the analysis and manipulation, such as code obfuscation and dynamic code downloading.

  • Source code obfuscation
  • Binary obfuscation
  • Native library(C, C++ instead of Java)
  • Core module update(Frequently change the core routine )
  • Secure hardware(Trust Zone, TSM)

But, applying anti-reverse technique alone is not sufficient to prevent the service access using malicious manipulated apps. Therefore, the app’s integrity checking can be considered also. The app’s integrity checking process can be adopted to figure out whether access app was modified or not. For this, generated hash(sha-256) of app or app’s files was stored into the server, and then it will be compared with the access app’s hash to check integrity on every connection or before the sensitive feature.

App integrity check process
App integrity check process

The service provider can keep a log of abnormal connection and notify the security warning message to user.

However, even the service provider already adopted these protections, hacker may bypass the checking process and anti-reverse technique. In my research and experience, many kinds of protections were bypassed or manipulated using debugger, memory modification or other technique. For example, if the checking process was implemented to use same integrity data on every time, hacker should save the integrity data and replay it on the network or in the app. The server would accept it as a normal access. To prevent these flaws, the core process needs to protect from the access and manipulations.

So, we can consider the secure hardware like Trust Zone, TPM and UICC instead of software modules. Integrity checking module in the hardware can control the access from the outside of chip and nobody may not access without through the preshared protocol. Moreover, it can be shared and used with other apps by standardized APIs. It would be adopted not only for the integrity checking but also for DRM module to deal with the license issue.

Next, I will post about secure hardware and how can it consist with the app integrity detection.