The (other) Facebook story

October 7, 2010

Facebook Places
Image by Aleksander Soender via Flickr

So apparently, “The Social Network” came out this weekend. And apparently it’s a quite good, if not entirely accurate, movie.

 

The Facebook story that I am referencing here, though, has more to do with a series of interactions that began about a month ago. They typically went like this:

*code code code*

“Hey, what are you working on?

me*code*”I found a security problem in Facebook Places”

“Really, what does it do?”

me:”I can’t really say right now. Just don’t use Facebook Places.”

The  reason  for this secrecy is because of a basic problem in computer security:By telling people how to avoid a security hole, you’re also telling malicious hackers that it exists and (sometimes) how to exploit it. So I decided that the most prudent course of action would be to let Facebook fix their system before writing about it.

Well, now that’s(finally) happened, so on to the interesting part.

I was, at first, surprised by the quality of the privacy controls in Places. Sure, it has that weird maybe-good-maybe-a-problem “feature” where your friends can check you in to their location without your consent, but that’s not so different from being tagged in a photo. It also has a mode you can turn on, called “People here now” that will show that you are in a given location to other people in that location–essentially the digital equivalent of wearing a name tag.

Then I started looking more closely at it. Places normally does two things:tells you who’s nearby, and tells you where your friends are. These are both fairly innocuous–you presumably trust your friends, and the “people nearby” mode doesn’t track anyone’s checkins–it just tells you the names of people who have checked in near you

While that superficially seems okay, it should give any programmer pause for thought. Keep in mind that Facebook doesn’t have a Big Brother system that knows where you are all the time. It has to send a location request to your computer or smartphone, which then uses sensors to figure out its location and send it back to Facebook.

That’s the basis of the “teleportation attack”. If a malicious user has a script that can query every location in a given area for a list of who’s there, they can build a database that will allow them to track an arbitrary user in real time, or examine logs of where they’ve been, as well as identify robbery targets and track visitors to specific locations.

In particular, what an attacker would have do do would be:

  1. Spoof the geolocation
  2. Connect a computer to touch.facebook.com
  3. Automatically check in to every “nearby” place in sequence
  4. Capture the list of “People here now”, and save it to a file
  5. Analyze the file

In more detail…

Spoof the geolocation

Right away, the teleporation method runs into an obstacle:Facebook knows the lat/long coordinates of every location of Places, and won’t let you check in to a place unless your own coordinates match it. Since traveling around the city is not really practical, one must thus figure out a way to “spoof” one’s location.

Here’s where the security comes in.. Like I mentioned above, Facebook has no way to impartially know your location. Instead, it relies on asking your computer or phone to analyze data from any onboard location sensors, and report back a latitude and longitude, plus margin of error.Here’s the thing, though:the geolocation protocol is specifically designed to function with a variety of data sources–Wifi positioning, cell towers, GPS–and present the same results regardless of what method was used. This “black box” method means that a device requesting its position will usually just harvest all the available data, then send it to a “location provider”(usually Google or Apple) which then replies with a lat/lon pair. Facebook doesn’t know who the location provider is, or how it determined your location.

So, why not write your own location provider?

 

This is, in fact, exactly what I did. locationhelper.pde(attached) is a Processing program that can generate a file containing a moving spoofed geolocation point. When configured correctly, Firefox(and Facebook) will believe the spoofed data completely. locationHelper is designed to “scan” an area by moving the simulated position back and forth.

 

Connect to touch.facebook.com

Right away, we run into a stumbling block:Facebook Places doesn’t work on the standard version of Facebook, only on the apps for mobile phones. Luckily, Facebook’s phone site, touch.facebook.com, supports Places and also isn’t too picky about what connects to it. In other words, you can simulate a mobile phone from a computer simply by adding “touch” in the URL. For my proof-of-concept, I also used Firefox’s User Agent Switcher to make it pretend to be a mobile Safari browser.

3.Automatically check in to every nearby place, and capture the people here now data.

With our fake location provider simulating movement, all that’s required for this step is to write a  small script for Firefox that will automatically hit the “check in” button every few seconds, then extract the list of “people here now”. Since this information is presented in a standard Facebook “people list” format, it’s fairly easy to read it and save it to a file, along with the name of the place.

 

4Analyze the loot

Once your database is built up, a malicious user could do a number of things with it, including:

ould allow an attacker to:

  • Stalking a user by creating a database of all checkins within a given area, then querying the database to obtain semi-real-time and historical data on the user’s checkins
  • Identifying potential victims for robbery or vandalism by identifying users who are a significant distance from their home(similar to pleaserobme.com)
  • Collecting aggregate data for sociological or basic demographic research
  • Compiling a database of check-ins in a geographically wide set of “regions of interest”(gambling sites, bars, etc) and determine whether a given person had ever checked in at any of the monitored locations

 

Yeah, scary.

So is it fixed?

Mostly.

Facebook has now successfully beefed up their anti-scraping system, which means that the proof-of-concept I developed now does not work. So to the best of my knowledge, there is currently no code capable of actually performing this attack.Does that mean it’s absolutely safe?

Not really.

The problem is, essentially, that the existence of a “people here now” feature creates what’s known in the security world as an “analog hole”. The problem is this:if the system allows users to see the list of people at their location, then by definition it’s also possible for an automated system to access it. At some point, regardless of how much anti-scraping you have, the fact that the data exists and is actively transmitted to users means that it’s not completely secure(facebook had anti-scraping protection before I write the proof-of-concept–it just didn’t prevent the attack)

 

So the take-away message is basically, turn off People here now(you can find directions here), unless you have some specific purpose that you absolutely need it for.

 

 

Enhanced by Zemanta
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: