Facebook API Abuse Can Expose Private User Data, Say Hackers

But Facebook says it is happy with its current protection measures

. What's this?

By Lucian Constantin

October 07, 2011 — IDG News Service — Facebook is ignoring a serious shortcoming in the way it limits application developers' access to information about Facebook users, according to a pair of hackers.

The problem is in the way Facebook's APIs (application programming interfaces) work, and could even lead to unauthorized password changes, according to hatter and ErrProne, two members of hacking think-tank Blackhat Academy.

Facebook applications use a special query language called FQL (Facebook Query Language) to extract and modify user information stored in the social network's database. This proprietary language is well documented and the information is public, allowing anyone to learn it.

Querying sensitive user information such as email addresses through FQL requires an API key, a unique identifier Facebook attributes to each app, but a lot of other private information can be extracted from the database without any such restrictions. The two hackers even provided working proof-of-concept code in their advisory.

According to hatter, API keys have too much power from the moment they are issued, and obtaining one is simple. A malicious programmer could obtain and abuse an API key while the associated app was still in development. Applications have access to more data while in that phase, before they are released; after Facebook reviews an app, it will restrict its rights to allow access only to the data the app needs to function.

However, attackers don't even need their own API key to extract data. They can piggyback on the key of a legitimate app by installing it on their profile and feeding it information requests with altered user ids. Depending on the application's permissions, this technique can be used to gather information from other users with the app installed, even if those users only shared the information with their friends.

This sort of abuse would likely be detected quickly by Facebook's security team, but attackers would still have enough time to grab the information they want before being blocked.

Blackhat Academy notified Facebook of this issue over two months ago, according to Hatter, and the group decided to publish the details only because the social networking giant doesn't share its concerns.

A Facebook spokesman dismissed the claims, saying: "What this person calls an 'FQL Injection' is simply our Facebook Platform APIs working as intended."

"We have a dedicated team that does a robust review of the applications accessing our APIs. This team uses a risk-based approach, looking at applications' velocity as defined by number of users or pieces of data shared," said the spokesman. "When a potentially bad application is reported to us or detected by our systems, we act swiftly to remove or sanction it before it gains access to data."

What is Tech Briefcase?
TechBriefcase is a new, free service where IT Professionals can Search, Store and Share IT white papers and content like this. Learn more
Bookmark content
Speed up your research efforts with content across the web.
Search and Store
Find the white papers you need. Create folders for any topic.
View Anywhere
Open your briefcase on your iPhone, tablet or desktop. Share with colleagues.
Don't have an account yet?
RESOURCE CENTER