Vulnerabilities in Facebook and Facebook Messenger for Android applications

1. Advisory Information

Title: Vulnerabilities in Facebook and Facebook Messenger for Android applications
Advisory ID: STIC-2014-0529
Advisory URL: http://www.fundacionsadosky.org.ar/publicaciones-2
Date published: 2014-07-28
Date of last update: 2014-07-28
Vendors contacted: Facebook Inc. (NASDAQ:FB)
Release mode: Coordinated release

2. Vulnerability Information

Class: Information Exposure Through Sent Data [CWE-201], Information Exposure Through Sent Data [CWE-201], Unintended Proxy or Intermediary [CWE-441]
Impact: Denial of service, Data loss
Remotely Exploitable: Yes
Locally Exploitable: Yes
CVE Identifiers: CVE-2014-NNNNY, CVE-2014-NNNNX, CVE-2014-NNNNZ

3. Open proxy in Facebook application for Android

[CVE-2014-NNNNZ]

According to Facebook's published financial results for the second quarter of 2014, as of June 30th the company had 1.07 billion mobile active users and an average of 654 million mobile daily active users[1]. The Facebook application for Android is among the top 10 most installed Android applications worldwide with 500 to 1,000 million installations as of June 24th, 2014[3].

The application embeds a generic HTTP server component that is used as a caching proxy for playing video recordings. This server is misconfigured and accepts requests from any client, local or remote, allowing attackers to connect to it and use a victim's device as an open proxy. As a results, among other things, an attacker could carry out various forms of denial of service attacks such as filling up the device's storage or running up the subscriber's data transfer limit over 3G or LTE networks.

4. Disclosure of private video content in Facebook application for Android

[CVE-2014-NNNNX]

The application allows users to upload video to Facebook and configure who should be able to play it back (publicly accessible, friends only, oneself, custom list). The application also allows users to playback video on the Android device. Viewing video content marked by the user as private is prevented by Facebook in accordance to the company's privacy policy [2] if the connecting client is a web browser. However, if the user connects to Facebook using the Android application the confidentiality of private video and audio content is not enforced.

The application retrieves video content for playback in an insecure manner, allowing anyone with access to the same network where the Android device is connected or to any network in the path between the device and Facebook's Content Delivery Network to capture or retrieve video content disregarding the user's configured access policy and bypassing Facebook's privacy policy.

5. Disclosure of audio recordings in chat messages in Facebook and Facebook Messenger for Android

[CVE-2014-NNNNY]

The Facebook Messenger application is also among the top 10 most installed Android applications worldwide with 500 to 1000 million installs [4] . Both Facebook and Facebook Messenger applications allow users to send and playback audio recordings as messages within a chat session. Transmission of the audio content is done using an insecure network protocol, allowing anyone with access to the same network where the Android device is connected or to any network in the path between the device and Facebook's Content Delivery Network to capture or retrieve chat audio recordings bypassing Facebook's privacy policy.

6. Video Cache Server vulnerability: Vulnerable packages

7. Video vulnerability: Vulnerable packages

8. Audio vulnerability: Vulnerable packages

9. Vendor Information, Solutions and Workarounds

Facebook acknowledged and corrected all three vulnerabilities. According to the company, the audio recording issue was already known and a fix was being beta tested at the time the bug was originally reported. The company released new application updates that fix both audio and video vulnerabilities. The fix to the disclosure of audio recordings required a new application update. The fix to the video disclosure vulnerability works with current and prior versions of the application that support retrieval of video from the CDN using HTTPS.

Facebook's new update to version 13.0.0.13.14 fixed the open proxy issue by configuring the video cache server to listen only to local requests.

To determine which version of the applications you have installed on your Android device, go to "Settings|application settings|manage application" then tap on the Facebook or Facebook Messenger app.

10. Credits

This vulnerability was discovered and researched by Joaquín Manuel Rinaudo. The publication of this advisory was coordinated by Programa Seguridad en TIC.

11. Technical Description

Facebook uses an HTTP server as caching proxy for media content. The server is hosted in the mobile application's process space and listens on a local non-fixed ephemeral TCP port. The constructor of the class com.facebook.video.server.VideoServerBase embedded in the Facebook application instantiates this GenericHttpServer object. The created instance listens to requests from any client, local or remote, enabling an attacker to perform requests to third party servers through it.

The server accepts three types of GET requests: /proxy, /cache-window and /cache-thru. The parameters for these requests are 'remote-uri' whose value is an URL and a 'vid' identifier. Upon receiving a request, the server performs a HEAD request to the 'remote-uri' URL to obtain the content-length of the resource, it then obtains the requested resource with a series of GET requests until the previously declared content-length is reached. Any redirect response to the HEAD request is followed by a GET request to the redirected location.

While the 'proxy' request will simply forward the content to the server's client, the 'cache-thru' and 'cache-window' requests indicate the server to not only forward the content to the client but also to store a copy on the phone internal memory under data/data/com.facebook.katana/files/video-cache.

An attacker could use a victim's mobile with the Facebook app installed as an open proxy by querying the embedded HTTP server for /proxy and passing as a parameter a shortened URL that points to any arbitrarily selected target site. Since all redirects are followed, an attacker could use a shortened URL, obtained from a site like goo.gl, as the target site parameter so the proxy works on all sites. She can also cause the phone to run out of internal storage by simply querying /cache-thru with a 'remote-uri' set to a site containing a large file. The same can be done for running up the subscriber's data transfer limit over 3G, LTE networks.

To reproduce the vulnerability follow these steps:

1) Connect with adb shell to a device running Facebook and run netstat to find out the listening port

2) From a device in the same network run telnet [Phone IP] [listening port] and enter the following request:

GET /cache-thru?remote-uri=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3Dz9Uz1icjwrM&vid=a HTTP/1.1

3) The phone queries the link with a HEAD request which youtube servers will respond with a 302 redirect to m.youtube.com. The victim then queries m.youtube.com and downloads the video content to the phone's internal memory cache and forwards it to the client that requested it over the telnet connection.

Videos hosted on the Facebook CDN network are obtained via HTTP. When a user requests playback of a video hosted on Facebook an instance of the VideoServerBase class performs a request to an instance of the GenericHTTPServer class with a parameter of /caching-thru with its value set to the URI of the video to retrieve from the CDN. Since the URI scheme is HTTP, the caching proxy requests to download the content are performed over an insecure transport.

Anyone with access to the local network of the Android device or to any network in the path between the device and Facebook's CDN can obtain the URL and video content by capturing network packets or can retrieve the video content directly from Facebook's CDN once the URL is known.

Steps to reproduce the vulnerability:

1) Download and install Facebook application.

2) Login to Facebook using any account (we will call it "account A").

3) Using a web browser login to Facebook using a separate account ("account B"), post a video and allow access to it just to accounts A and B.

4) Using the Facebook application for Android logged in using account A let the video status load but do not yet play the video.

5) Set a proxy for the Android phone. This will make all HTTPS requests stop working but they are not needed to reproduce the vulnerability.

6) Click on the video and let it play.

7) Copy the URL in the GET request obtained from the proxy (this emulates an attacker sniffing the network) and paste it in a web browser to watch the video without any authentication.

The third vulnerability involves audio recordings sent from one Facebook user to another user through chat on both Facebook and Facebook Messenger applications. The sender's application uploads the audio recording using an HTTPS POST request to graph.facebook.com and then a HTPPS GET request to api.facebook.com/method/messaging.getAttachment that is responded with a redirect to the actual content at attachment.fbsbx.com. Although the initial POST and GET requests are sent over HTTPS and authenticated using the user's OAuth access token, the redirect response to retrieve the audio content is obtained over HTTP. Likewise, the receiver's application downloads the audio recording using an HTTPS GET request to api.facebook.com/method/getAttachment that is responded with a redirect with a URL to the actual audio content on attachment.fbsbx.com over HTTP. The uid parameter in both requests indicate the Facebook IDs of sender and receiver, respectively.

This vulnerability was found in the com.facebook.ui.media.fetch.MediaRedirectHandler class in method getLocationURI in packages previous to version 10.0.28.27 . This method calls a private method that translates the URI scheme from HTTPS to HTTP for any request redirected to domain attachment.fbsbx.com.

As a result of the above, an attacker access to the same network where the Android device is connected or to any network in the path between the device and the attachment.fbsbx.com network can capture or retrieve chat audio recordings bypassing Facebook's privacy policy.

Steps to reproduce the disclosure of audio recordings vulnerability

1) Login to Facebook using the Facebook application for Android.

2) Capture network packets using any network sniffing tool (e.g. wireshark).

3) Within the Facebook app open a chat window and send a recording.

4) Find the GET request to attachment.fbsbx.com in the captured traffic. Use any web browser to open the specified URL to obtain the recording.

12. Report Timeline

13. References

[1] http://investor.fb.com/releasedetail.cfm?ReleaseID=861599
[2] https://www.facebook.com/note.php?note_id=%20322194465300
[3] https://play.google.com/store/apps/details?id=com.facebook.orca
[4] https://play.google.com/store/apps/details?id=com.facebook.katana
[5] http://hbpub.vo.llnwd.net/o16/video/olmk/holt/greenwald/NoPlaceToHide-Documents-Compressed.pdf

14. About Fundación Dr. Manuel Sadosky

The Dr. Manuel Sadosky Foundation is a mixed (public / private) institution whose goal is to promote stronger and closer interaction between industry and the scientific-technological system in all aspects related to Information and Communications Technology (ICT). The Foundation was formally created by a Presidential Decree in 2009. Its Chairman is the Minister of Science, Technology, and Productive Innovation of Argentina; and the Vice-chairmen are the chairmen of the country’s most important ICT chambers: The Software and Computer Services Chamber (CESSI) and the Argentine Computing and Telecommunications Chamber (CICOMRA). For more information visit: http://www.fundacionsadosky.org.ar

15. Copyright Notice

The contents of this advisory are copyright (c) 2014 Fundación Sadosky and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 4.0 License: http://creativecommons.org/licenses/by-nc-sa/4.0/