Apps are all the fashion. You can download them, and you can add them to web sites (such as your blog) including your favourite social network. Facebook has introduced applications back in 2007. If you want to tie an application to your account, the code needs to have proper credentials in order to connect an action with your profile. This is why most apps ask you to login before they start to work. The idea is to convert your login and password into a token that can be used to grant access, either for a limited time or indefinitely.
Symantec’s Nishant Doshi reports that Facebook had a bug in its application framework exposing user access tokens to third parties. This basically means that you can do all the app can do (and possibly more) on behalf of the user account tied to the token. The leaking of the token is done by URLs in the referrer field of HTTP requests. Given 100,000 applications and millions of users this is a big potential, and given the fact that the bug was probably present in 2007 the potential for “data mining” and malicious use of the tokens is quite substantial.
We have discussed security issues of web applications and mash-ups in past DeepSec conferences. It seems there a lot more potential for this, too. If you have something to share, please consider our Call for Papers.
We have been approached by the German Frontal21 magazine to share some insights of the security of social networking sites. Since social networking sites most certainly won’t vanish over night we don’t have much options besides analysing the security of these applications and educating users about the dangers. Again, if you habe some thoughts, drop us a few lines.