So Facebook’s been in the news recently about their ever degrading privacy protections and coding screwups (EFF link and Tech Crunch link). I’m not a big fan of the service but it is a unique way to keep in touch with people you are far away from, as well as get updates on the “normal” part of their lives that don’t exactly warrant a phone call or email. Anyway, I’ve already erased most all my personal info because I’m a paranoid. I also check up on the privacy settings to see if I’m inadvertently leaking personal info because of my mistake or Facebook’s frequent policy changes.
I noticed an interesting feature yesterday that allows you to get an email when a computer that hasn’t been “authorized” authenticates to your account ( Click Account Button…Account Settings…Account Security). Facebook also allows you to see a log of the computers that have authenticated to your Facebook (security guys love logs) which is cool. The log is weak on the technical side, no IP address, DNS hostname, or Useragent etc. But it is an interesting feature that I believe banks should offer as well.
So I was about to Facebook post to recommend it to my friends when I realized I should Trust but Verify. So I fired up RegShot, took a 1st shot registered my laptop for the first time, and took a 2nd shot. No surprise there Facebook is using cookies at to keep the state of the registered computer. I’m sure it’s a long fairly random string of characters that in no way have any login info in it. Let me just open that file…. Oh Wait. Is that my Facebook username which of course is also my primary email address in clear text? Now I’m no master web app designer but c’mon you are not supposed to put any part of the login in info in the cookie, OWASP agrees link (pg34). XSRF and XSS are proven ways to steal cookies so they should not be considered secure. SPAMMers would obviously pay more for confirmed facebook email addresses vs. the average SMTP Directory harvest attack. I’m sure bot net herders already parse their clients for such info and sell it on the black market.
To dig deeper I fired up WebScarab and intercepted the server response that sets the cookie. In checking security settings on that and several other cookies the web server sets. I saw Http Only, expiration date/time as well as Domain and Path restrictions which are good and help defend against cookie stealing; but why wouldn’t they hash the userID by using SHA1 on the login info with time in milliseconds or something as a salt? I admit this isn’t a HUGE deal but when you are in the top 10 websites by traffic in the world and your only “product” is other people’s personal info you’d think they would be pretty conservative when it comes to exposing 50% of the info needed to login. Facebook’s history of coding errors and in general their opinion that data should be open to everyone is really becoming concerning.
Cookie Information. We use “cookies” (small pieces of data we store for an extended period of time on your computer, mobile phone, or other device) to make Facebook easier to use, to make our advertising better, and to protect both you and Facebook. For example, we use them to store your login ID (but never your password) to make it easier for you to login whenever you come back to Facebook….snip….