Recently making the rounds is this hack against the Facebook Moods application, currently installed by over 84,000 users. By manipulating the fb_sig_user parameter, it’s possible to alter the mood of any user who has the application enabled.

Though this is just another manifestation of an authorization bypass issue, the security community should coin a new buzzword to describe these types of vulnerabilities when they are specific to social networking applications. Given the increasing prevalence of social networking sites and extensible APIs, it seems the logical thing to do. One need only think back to Cross Build Injection (XBI) and Cross-Site Printing (XSP) to realize the importance of a shiny new acronym to raise the visibility of such a critical risk. I propose that, going forward, security practitioners should refer to these vulnerabilities as Cross Social Networking Application Direct Object Reference (XSNADOR). That's pronounced eks-SNEY-dohr, in case you were wondering.

XSNADOR attacks are very common, they have simply lacked a catchy label for the media to latch on to. Look at all of these Facebook application hacks published last summer. These bugs would have had much greater visibility as XSNADOR attacks -- maybe even enough visibility for the author to continue posting. The blogosphere and the twittersphere would have been abuzz, raising the level of awareness everywhere.

If you have a security blog, feel free to take part in a little Cross-Publicity Injection (XPI) and discuss this newly-discovered application security risk with your readership. Help spread the word about XSNADOR! Bonus points for every acronym you reference in your post.

Happy April 1st everyone!

About Chris Eng

Chris Eng, vice president of research, is responsible for integrating security expertise into Veracode’s technology. In addition to helping define and prioritize the security feature set of the Veracode service, he consults frequently with customers to discuss and advance their application security initiatives. With over 15 years of experience in application security, Chris brings a wealth of practical expertise to Veracode.

Comments (0)

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.