How Facebook CSRF attack was discovered
One of the things that always interests me about security disclosures is how the researcher actually found a particular vulnerability. Sometimes, security researchers are actively looking for flaws, other times the flaws are found by accident.
In the recent case of a Facebook Cross-Site Request Forgery (CSRF) attack the researcher wasn't actively looking for flaw.
Security Researcher Ronen Zilberman reported the flaw to Facebook in early August and it was officially patched last week. In an email to InternetNews.com Zilberman explained how he found the flaw in the first place.
"I was working on a Facebook application for a client and when I read
the documentation the potential vulnerability hit me (I used to work as
a security consultant, so I guess this way of thinking is now
automatic)," Zilberman said. "However, it took a while to think of "upgrading" the attack
to use images and 3rd party sites."
Security shouldn't be an afterthought, it should be top of mind when developing applications from beginning to end. It is with that type of mindset that more flaws can be caught sooner, at Facebook or anywhere else.
The other interesting tidbit of information that Zilberman shared with me is the fact that his CSRF attack would not have been blocked by any anti-virus software. He explained that the flaw is not a browser issue and for that reason the attack works on all browsers. He add that, there is nothing wrong or even suspicious with a redirect response to an HTTP image request.
"As I wrote in the aftermath, while the attack makes use of a specific flaw that was patched, the entire setup is valid HTTP behavior and acceptable behavior from Facebook (if a bit lenient)," Zilberman said "This is what makes the attack in its entirety, in my mind, surprising and powerful."
Anti-virus technology would not detect the rogue image because the image and the image request process is completely legit.
Zilberman also hinted in his disclosure that other sites could be vulnerable to the same technique and possibly that Facebook itself could have other such issues.
"I haven't found (or looked for) any others, I am more interested in the technique itself," Zilberman said. "I stated that I speculate that this setup could be used elsewhere."
From my point of view, I think it will be interesting to see how many other sites are in fact vulnerable to the same setup. I suspect that Zilberman's speculation is not all that far fetched.