Friday, May 6, 2011

Facebook Apps and their Security


Very recently facebook promoted the usage of https to facebook access.While this went mostly unnoticed ,a very small community of people started to use the feature.Majority of the people didnt even understood the funda and passed it on.So I decided to give it a try and share my experience with you people.


Normally facebook allows both http and https options for browsing but apps are not working in https.

What is http

In a technical jargon http stands for "Hyper-text Transfer Protocol".Its a good thing that they abbreviated to Http.Ok now for the fun stuff.Http is actually a network protocol.Its something like a list of rules what or how your and my computer wants to speak over the internet.If put in a better way say its like a guideline or rules which forces you to speak in a proper manner(yes like grammar).To know more technical and geeky stuffs head on to wikipedia and check out the OSI layer and network protocol.

Similarly there are many more protocols.Here is just a brief list of things(Skip if you are already yawning).The complete list can be found in Wikipedia

Hypertext Transfer Protocol (HTTP)
Mainly used to speak to the server (facebook,google,yahoo etc) and settle some rules for you to check the website and how it should speak back to you.Do not confuse this with the Hypertext Markup Language (HTML). HTML is the language used to write web pages.


Post Office Protocol (POP3)/Simple Mail Transfer Protocol(SMTP)/Internet Message Access Protocol(IMAP)
All these are mostly used up when you send or receive a email.POP3 and IMAP are responsible for receiving your email and SMTP..yup you guessed it,for sending mail.

File Transfer Protocol (FTP)
Whenever you are downloading a file(pic,songs etc) to your hard-drive you use this one.It copies one file from one Server to your pc and vice versa..


Ok enough of this Technical Stuff..Please Straight to the point


Okay..okay..So whats the difference between http and https..Simple there is an extra s.Well thats a correct one.Actually the s stands for secure.Means this guarantee of security of the website has been given by a company with something called as a digital certificate.

Hey even I have lots of certificates and I have heard that they can be easily faked.

Well unlike the certificates in real life an SSL certificate is a digital certificate that authenticates the identity of a Web site to visiting browsers and encrypts information for the server via Secure Sockets Layer (SSL) technology.

A certificate serves as an electronic “passport” that establishes an online entity’s credentials when doing business on the Web. When an Internet user attempts to send confidential information to a Web server, the user’s browser will access the server’s digital certificate and establish a secure connection

Information contained in the certificate includes:
  •  The certificate holder’s name (individual or company)*
  •  The certificate’s serial number and expiration date
  • Copy of the certificate holder’s public key 
  • The digital signature of the certificate-issuing authority

 To obtain an SSL certificate, one must generate and submit a Certificate Signing Request (CSR) to a trusted Certification Authority which will authenticate the requestor’s identity, existence and domain registration ownership before issuing a certificate.
 So to make a long story short "If a website has https secure it ensures that the site has been verified and authenticated by a real third party organization and there is a lot of legal stuffs there to put the company or individual in long term jail if he tries to fake the certificate.
The connection itself is encrypted means whatever you are sending over the internet cant be easily visibe to other people who want to steal some information.Practically they exchange keys.It is always two keys.One is made public and the other is with the server so without knowing both the keys no one can listen to what you are saying.


Hey there are lot of qualified hackers to break it


Umm..lets take an example...

Password:PLEASE SOMEONE CORRECT ME IF I'M WRONG HERE*

Length:14 Charcters,14*8=112bits.

Password is strictly alphanumeric. So there are 26 letters + 26 capital letters + 10 digits.
That's 62 possible characters. The amount of combinations would be:
62^14, or:12401769434657526912139264

Lets assume that the brute force lats attempt is your password. I don't know how long it takes for a password cracker to generate and try a single combination. If that time is 1 second, the password would be cracked in 393257529003599914.768 YEARS. Even if it takes a millionth of a second to generate and try the combination.
(For 1/1,000,000 of a second: 393257529003.59 YEARS - THAT'S 26 TIMES THE AGE OF THE UNIVERSE)

Lets say that the hacker has the most powerful super computer Tianhe-I(with capacity of 1,000,000,000,000,000 calculations per second) it would take roughly 393 years to break.But then the normal 256 bit means 32 charcters(including all ascii sets)

Now imaging NOT KNOWING the amount of characters...

Try this link.Dont use any of your original password.Try something random.

I say the person will not try to hack the password rather will use a backdoor entry or bypass mechanism to gain acces.
Note:All of the banking or payment portal sites uses the AES 256 bit encryption with a digital certificate.

Now thats the real question-What are the backdoor entries or bypass mechanism to facebook



Facebook apps.

Lets take a closer look and compare two applications in facebook.

Intially if you are on https connection then facebook will prompt to swich over to http












Ok done.

Next lets take two typical applications.When it comes to giving permission.....


See the difference between the options.






So Ideally the application states that it has these following information and clamis that it will never access the photo gallery and other sensetive information.However if you read the privacy policy you will be surprised.For Farmville it was atleast better than the other one.

Next:If you look at the website address,its not in facebook anymore...Infact the apps are javascript which are hosted on 3rd party servers and facebook just promotes them but otherwise holds no responsibility for the actions.
 
So to Summarize if you are using facebook apps:  
  • It openly says that it will post to your wall without your permission.
  • In some cases access your data and photo album.
  • It is hosted in 3rd party websites(not in facebook) for which facebook has no credentiability.
  • Its on a http network where a hacker can easily check and find out your usage or even worse hack your profile or use the personal information for a different purpose.
  • Apps are written in javascript which virtually has the access to your local drive and can upload and download remotely without you even knowing.
So Whats the Solution
The solution is the choice between security and fun.One can be chosen at atime sacrificing others.However the choice of fun cant be fully down security.

Gaming sites like Zynga hosting popular games like Farmville,Cafeworld and Mafia Wars should be having dedicated security team.Being the top #133 website does pose some reputaion stuff onto itself.

Whereas apps like view my infographics shows :Site Ranking #1,674,405.

Lets Do a case Study.

App:My Zoo

Users:21958

Originating Site:http://zapumal.info/(Page Rank:1,079,656 )

Author Info:I am currently studying for my BSc Degree on Electronic and Telecommunication Engineering in Sri Lanka. this blog is to share things i do on my free time. Well it will go from technical to non technical. These days i am more interested on RC aircrafts and testing on them. I also hope to share my other hobbies here such as numismatics in future. Keeping it simple here is my facebook badge

The blog is a lot successful with visitors from around 50 countries within the first 3 months (Copy and Pasted)

If you visit the site you will see that he has mastered the art of developing facebook app.There are plenty of apps in his site only.




Final Words....
Well once again the app has clear access to your photo uploaded and can post messages without your approval.And if you need proff that javascript can upload and download from your hard drive,"Facebook photo uploader".Though the facebook's one is secure but can you really trust a guy from Sri Lanka with your facebook photos..thats the real question and thats the real concern.Sacrificing security for just a 2 min laughter.

Think over it.Wether you can risk to put you and your dear ones in the line of fire..Can you tolerate and handle some really nasty comments when someday you might stumble upon a morphed picture of them..or try to explain friends in facebook for the violent/bad/**** comments that suddently was posted to your wall.

Here comes the best...can you really enjoy the scene knowing that you once had read about it in an article and didnt bothered to pay attention.......Think

Signing Off
Santanu Ghosal


No comments:

Post a Comment

Feel Free to speak.I promise I wont bite