Wednesday, March 03, 2010

facebook and browser security

It's been less than a year since I joined facebook, after a long battle of keeping social networking sites at arm's length.  I was surprised at just how much fun it was, which really has only so much to do with facebook, and so much more to do with all my friends from high school, and my relatives I hadn't seen for years.

One of my initial concerns with facebook (and any social networking site) was the security, both in terms of technical security (someone posts a virus as an archive of pictures, as a real example), and also in terms of social engineering (say you leave a post about going on vacation for two weeks ... and the "wrong" people see it, and break into your house while you're away).  But really, those issues are really avoidable, as long as the end-user is smart - don't trust a file you don't know (scan it!), and beware of TMI in your posts.

But as of this morning, I have a new security concern with facebook - about:blank.  When I tried to accept a friend request this morning, nothing would happen;  when I tried to post a comment - nothing; basically, as of this morning none of the buttons on facebook work for me anymore.  And the reason why?  They are all attempting to run scripts from "about:blank".

Let me back up just a bit.  I deal with web security as part of my job, and as such, I am just bit more paranoid, and run tools to avoid common network threats.  I use Firefox as my web browser, and a special plug-in called NoScript that warns me when a site is trying to run a script from an untrusted source.  And what is an untrusted source?  Let's put it this way:  If I'm on cnn.com, and that page needs to run a script that comes from cnn.com - that's okay, that's trusted.  If it's trying to run a script from virusworld.net or someone's IP address, that's NOT okay!  Basically, scripts MUST come from the same domain as the page that is trying to run them.  If not, NoScript blocks them.

Once a script has been blocked, I can tell NoScript that "it's okay, I trust that site".  I've done this for a number of apps that I am aware of and trust (amazon has a number of scripts from their a3.com domain, for example - I know where they're coming from & trust them).  So, in most cases, if I trust the site with the script, it really not a problem.  I just tell NoScript to allow it.

The problem is, "about:blank" is not really a site.  It's supposed to give you a blank screen in your browser, but it should NEVER be running scripts!!!  In fact, this is a known security hole in some browsers - by tricking the browser to see a script coming from "about:blank", it thinks it's a local script, and does not apply the same security it would if it thought it was coming from across the internet.

In other words, the developers at facebook are now doing something that any web developer with a half-hour security class should know is absolutely WRONG to do!  And there's absolutely no reason for them to use this method unless they PLAN on doing something malicious!  (I still hope they did it because they were clueless, rather than malicious ...)

Now, I could allow "about:blank", but that would mean that ANY SITE could run scripts as about:blank - not what I want at all.

So, I may be done with facebook.  It hasn't even been a day, and I am sincerely hoping the facebook developers realize their glaring error and remove this reliance on "about:blank" (after all, it worked before without introducing this security hole).  But, until they fix the issue, you probably won't see much of me on facebook (unless I post something through this blog or YouTube).

Again, I hope they fix their mistake very soon.  I absolutely LOVED getting back in touch with everyone!