Facebook API abuse can expose private user data, say hackers

But Facebook says it is happy with its current protection measures

Facebook is ignoring a serious shortcoming in the way it limits application developers' access to information about Facebook users, according to a pair of hackers.

The problem is in the way Facebook's APIs (application programming interfaces) work, and could even lead to unauthorized password changes, according to hatter and ErrProne, two members of hacking think-tank Blackhat Academy.

Facebook applications use a special query language called FQL (Facebook Query Language) to extract and modify user information stored in the social network's database. This proprietary language is well documented and the information is public, allowing anyone to learn it.

Querying sensitive user information such as email addresses through FQL requires an API key, a unique identifier Facebook attributes to each app, but a lot of other private information can be extracted from the database without any such restrictions. The two hackers even provided working proof-of-concept code in their advisory.

According to hatter, API keys have too much power from the moment they are issued, and obtaining one is simple. A malicious programmer could obtain and abuse an API key while the associated app was still in development. Applications have access to more data while in that phase, before they are released; after Facebook reviews an app, it will restrict its rights to allow access only to the data the app needs to function.

However, attackers don't even need their own API key to extract data. They can piggyback on the key of a legitimate app by installing it on their profile and feeding it information requests with altered user ids. Depending on the application's permissions, this technique can be used to gather information from other users with the app installed, even if those users only shared the information with their friends.

This sort of abuse would likely be detected quickly by Facebook's security team, but attackers would still have enough time to grab the information they want before being blocked.

Blackhat Academy notified Facebook of this issue over two months ago, according to Hatter, and the group decided to publish the details only because the social networking giant doesn't share its concerns.

A Facebook spokesman dismissed the claims, saying: "What this person calls an 'FQL Injection' is simply our Facebook Platform APIs working as intended."

"We have a dedicated team that does a robust review of the applications accessing our APIs. This team uses a risk-based approach, looking at applications' velocity as defined by number of users or pieces of data shared," said the spokesman. "When a potentially bad application is reported to us or detected by our systems, we act swiftly to remove or sanction it before it gains access to data."

The hackers disagree, saying that Facebook probably didn't understand the full scope of the attack. "FQL injection is present in applications -- or you can just query the API directly," said Hatter.

The hacker is not convinced of the efficiency of Facebook's defenses either. "Analyzing applications based on velocity is awesome against worms and malware that spread rapidly. However, if a single user is the desired target, it does not help so much. An attacker could easily trick the target into running a single malicious app," he said.

Facebook's application platform has long been a source of privacy and security risks. Earlier this year, it was discovered that many apps, even top ones, were sharing and in some cases selling user ids to advertisers. This allowed them to build profiles used for behavioral advertising.

Earlier this week Trend Micro reported an incident where attackers managed to serve drive-by download exploits through malicious ads displayed in a legitimate app. These are clear indications that Facebook can't guarantee a good behavior from every app on its network and the overexposed APIs are just one more thing ill-intentioned individuals can exploit.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags Internet-based applications and servicesapplication developmentBlackhat Academydata breachAccess control and authenticationsoftwaresocial networkingExploits / vulnerabilitiesinternetprivacyFacebooksecurity

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Essentials

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?