Monday, 13 June 2011

Something that has been bugging me for a while

Do you have a facebook account? Rhetorical question, of course you do. If you don't well then you can leave now because this post is all about *drumroll* FACEBOOK! Seeing as how it is on my blog, one can safely assume that it is about facebook security. So, what have facebook done now? They are protecting your from them.

Confused? So was I. Basically they have started up this new scheme to prevent Cross-Site Scripting(XSS) and Clickjacking and other scripting based vulnerabilities. Some of you may be unfamiliar with scripting and the vulnerabilities therein. Most modern webpages serve up dynamic content, making the experience different for each user. A good example of this is your facebook newsfeed, which is different from your friend's feed.

This is all achieved using scripting. A script is essentially some sort of program code that runs within your web-browser. The catch is, you never explicitly execute the scripts like you do programs. They are embedded in the webpage and are executed when you open the webpage, or at some other suitable trigger. The problem then is that people could embed malicious scripts into pages and you will not realise they have run, until it's too late.

I'm sure you've all had that one friend who has posted the same spam link to everybody and 10mins later warned you not to click it. That is basically what these malicious scripts do. So, facebook decided that they need to address the issue, which they did pathetically.


What they have done is now they "read" your URLs and check it for any script. Again, ANY script. That means that if any script is detected, you will be logged out of facebook instantly as a security precaution. You may wonder why this is a problem. Well, as eluded to earlier, almost all actions on facebook are scripts. See more items in your news feed, liking a post, commenting on a post, writing on somebody's wall, the chat feature. Everything is a script. So now, facebook sees you trying to do something legitimate and decides to kick you out. It doesn't always happen, but it's often enough to be mildly aggravating.

It's bad enough that you have to re-login, but what's even worse is that you go through the following twp screens: (full size images here and here)
and then a 3rd asking if you would like to share a link explaining how great facebook security is. Honestly, I would rather have a red-hot iron bar slapped onto my arm. This is because if you read the messages carefully, you will notice a couple of "< br >" tags popping up.

This is not a security issue, but it does mean that whom so ever wrote those pages is probably a moron! "< br >" was/is the tag used in HTML to induce a line break. However, newer standards such as XHTML and HTML5 insist on using "< br />" for technical reasons. Believe me, it's a good idea. So, this lead me to the conclusion that most facebook web developers have written sloppy HTML/PHP/JScript/Whatever else they use and that is causing the "safety filter" to go off at least twice a week on my account. Also, I'm not sure how good the code for the "filter" is. I have very low expectations.

The first time I was logged out by this "filter", I was impressed that facebook had implemented such a feature. I guess that they had some bugs in it, which was understandable. With each subsequent occurrence of me being "filtered out", I grew more sceptical. Then when I saw the horrendous HTML code in the warnings, I gave up hope and waited for it to happen again to make screen shots.

I didn't have to wait too long. Most people would say "Well at least they tried!" To which I reply, "Welcome to cyber-security, where a half-assed attempt doesn't count!" Really, facebook, get your act together and actually make an attempt and then maybe I'll be impressed and stop writing evil comments on the your security fan pages.

No comments:

Post a Comment