Recently making the rounds is this hack against the Facebook Moods application, currently installed by over 84,000 users. By manipulating the fb_sig_user parameter, it’s possible to alter the mood of any user who has the application enabled.
Though this is just another manifestation of an authorization bypass issue, the security community should coin a new buzzword to describe these types of vulnerabilities when they are specific to social networking applications. Given the increasing prevalence of social networking sites and extensible APIs, it seems the logical thing to do. One need only think back to Cross Build Injection (XBI) and Cross-Site Printing (XSP) to realize the importance of a shiny new acronym to raise the visibility of such a critical risk. I propose that, going forward, security practitioners should refer to these vulnerabilities as Cross Social Networking Application Direct Object Reference (XSNADOR). That's pronounced eks-SNEY-dohr, in case you were wondering.
XSNADOR attacks are very common, they have simply lacked a catchy label for the media to latch on to. Look at all of these Facebook application hacks published last summer. These bugs would have had much greater visibility as XSNADOR attacks -- maybe even enough visibility for the author to continue posting. The blogosphere and the twittersphere would have been abuzz, raising the level of awareness everywhere.
If you have a security blog, feel free to take part in a little Cross-Publicity Injection (XPI) and discuss this newly-discovered application security risk with your readership. Help spread the word about XSNADOR! Bonus points for every acronym you reference in your post.
Happy April 1st everyone!