The AVOXI Blog:
The Most Educational VOIP Call Center Software and Business Phone System Blog in the World!

Your Facebook Apps Can Be Spoofed by a Hacker

Many Facebook users have been complaining of unauthorized posts on their walls. How is this possible?

This is done via spoofing app content. An attacker can post content that appears to come from a trusted application onto a wall or news feed of a victim. You can find content from Saavn, Candy Crush, Spotify, Pintrest or any other application on Facebook. Due to the interesting  method of publishing called “stream.publish,” Facebook allows its users to post on their wall with a Facebook Application for post stream attachments. The Stream Publish Dialog contains a couple of noteworthy parameters:

  1. app_id
  2. Attachment (swfsr, imgsrc, href)

The attacker must first provide the app_id value for the victim application. At this point, an attacker must produce attachment parameters like swfrsc and imgsrc allowing the hacker to upload swf files that come from any external website. Facebook’s default setting is set to allow loading external swf files from any domain that uses the swfsrc parameter. There is a feature called Stream post URL security meant to ward off these kinds of attacks. In theory, an app developer using this protection on their Facebook Developer account will not incur attacks of this nature because attackers cannot load external swf files.

Facebook eliminated the stream.publish option in 2013 and instead, opted in to a Feed Dialog to publish app activity. This this Feed Dialog, we’ll use some parameters to perform the content spoofing app bug.

  1. Link parameter: With this parameter, we will include our malicious external link (virus exe file, Odays, Phishing site, or any other malicious link).
  2. Picture Parameter: This parameter is only usable if we want to spoof the content with an image. The content of the image will only display correctly on our wall post. It will not display correctly in the newsfeed, making it relevant only to wall post app spoofing.
  3. Caption Parameter: This parameter will allow an attacker to choose the website from which the content will come.
  4. Name Parameter: This parameter produces the title we desire. Whenever the victim clicks on that title, he will be taken to our malicious website.

The Stream post URL security is off by default on Faceboook. Most apps will be susceptible to our app content spoofing attacks.

Newsfeed/Wall, Facebook Content Spoofing Apps:

  1. Diamond Dash
  2. SoundCloud
  3. Bejeweled Blitz
  4. Skype
  5. Candy Crash Saga
  6. Slideshare

Most rated games/apps that allow spoofing content on Facebook:

  1. Bubble Witch Saga
  2. The Sims Social
  3. Bubble Safari
  4. Angry Birds Friends
  5. Social Wars
  6. Songpop
  7. Dragon City
  8. Skype
  9. Soundcloud
  10. CNET
  11. Foursquare
  12. Netflix
  13. Scribd
  14. Bing
  15. Jango
  16. 9GAG
  17. Instagram
  18. Diamond Dash
  19. Slideshare
  20. Candy Crash Saga
  21. Bejeweled Blitz

Games/Apps that use Stream Post URL Security feature (block content spoofing):

  1. Criminal Case 
  2. Pool Live Tour
  3. FarmVille 2
  4. Texas Holdem Poker

As the Lead Security Engineer and Linux Administration for AVOXI, Pablo's expertise and past work experience has given him insight to an array of systems and applications, well as knowledge among varied telephony equipment and developments.

Latest posts by Pablo Valenciano (see all)

Submit a Comment

Your email address will not be published. Required fields are marked *

Share This