Saturday, September 25, 2010

The risks of Facebook's Instant Personalization program

In April, Facebook unveiled a new technology called Instant Personalization. Initially released to just Yelp, Pandora, and Docs.com, Instant Personalization has been widely misunderstood by the media and Facebook users alike.

Instant personalization allows any site that Facebook chooses to partner with to use your current Facebook session as its own authentication system. In other words, if you are logged into Facebook when you visit Yelp.com, Yelp will immediately know who you are and some basic information about you (such as your profile photo and friends list) without any further action on your part.

From a more technical perspective: Instant personalization is a modification to the Facebook Open Graph API that allows certain partner sites to bypass the application authorization process prior to gathering information about the current user. The partner application simply loads an external script file hosted on Facebook's site, and Facebook returns an authentication key that the application can use to gather basic information about the user.

Many people may be perfectly fine with what I've described so far. Allowing Docs.com, Yelp.com, Pandora.com and now RottenTomatoes.com to gather my name, photo, and friends list when I visit them is not a big privacy concern to most users. In fact, Instant Personalization has been used to create a great user experience on all of these sites. It's neat to be able to see which restaurants my friends like on Yelp.com without ever needing to go through the effort of making a Yelp account and trying to rebuild my friends list.

Unfortunately, Instant Personalization also suffers from several fundamental security flaws that place all Facebook users at risk.

1. Vulnerabilities in Instant Personalization partner sites allow malicious 3rd parties to hijack authentication tokens.

On May 11, I created a demonstration of how this flaw could be abused such that malicious 3rd party sites could get access to private information. My discovery led to two articles on TechCrunch.com in the same day -- http://techcrunch.com/2010/05/11/yelp-security-hole-puts-facebook-user-data-at-risk-underscores-problems-with-instant-personalization/ and http://techcrunch.com/2010/05/11/another-security-hole-found-on-yelp-facebook-data-once-again-put-at-risk/.

As described in the articles above, my demonstration used a cross site scripting vulnerability in Yelp.com to hijack the authentication token that Yelp uses to get user information. Cross site scripting vulnerabilities are one of the most prevalent security issues on the internet. I would say with a high degree of confidence that all of Facebook's current instant personalization partners have cross site scripting vulnerabilities that have not yet been discovered.

Any cross site scripting vulnerability in any Instant Personalization partner site can be used by a malicious third party to find out your name, birthday, location, school, and work information as listed on Facebook unless you have specifically made this information private. The only action that you would need to take for this to happen is clicking a malicious link or seeing an ad created by this malicious third party. Yes, malicious advertisers now have the ability to collect all of this information about you while incorporating the names and pictures of your friends into their ads. As the Instant Personalization partnership program expands, these vulnerabilities only become easier to discover and exploit.

2. Third party content on Instant Personalization partner sites has access to authentication tokens.

Any third party Javascript tracking tools or advertising code can capture authentication tokens. As third party Javascript based tools such as Get Satisfaction or Google Analytics become more popular any of these tools could get access to instant personalization information. While I'm certain no reputable company would do this, less scrupulous advertisers should not be underestimated. The value of collecting the name, location, education information, and friends list from any user that views an ad is a gold mine for advertisers.


3. Authentication tokens are not sent securely.

Although the Facebook API requires that all API requests containing an authentication token are sent to Facebook over HTTPS, all Instant Personalization partner sites currently send the authentication token itself over plain HTTP inside of cookies or in the page source itself.


4. Instant Personalization partner sites are allowed to store data that they collect from the Facebook API indefinitely.

Five years from now all Instant Personalization sites may still know your name, your Facebook id, and everything you've ever done on them. Docs.com will know what documents you looked at, Yelp will know which restaurants you've been to, Pandora will know what music you listened to, and RottenTomatoes will know which movies you went to see. Information that you previously had to opt in to sharing via signup or login forms is now shared by default and tied to you forever. None of these sites has an easy way for users to delete this collected information.

---

On August 26, Facebook announced that they would be working to launch instant personalization with more partners, with a focus on providing it to startups in the YCombinator venture firm: http://techcrunch.com/2010/08/26/facebook-y-combinator/. As more and more Instant Personalization partners are announced, the severity of the security flaws I described only grows worse.

While it's hard not to see the tremendous value that Instant Personalization provides for it's partners and their users, we should not ignore the security and privacy risks it presents. The technical complexity of Instant Personalization has made it difficult to understand the risks it presents, and the simultaneous launch of Facebook's Social Plugins has only further confused users and the media. It's essential that all users become aware of the risks and make an informed decision on whether they should opt-out of instant personalization.

The opt-out page for instant personalization can be found here: http://www.facebook.com/settings/?tab=privacy&section=applications&field=instant_personalization

Like this post? Please vote it up on YCNews: http://news.ycombinator.com/item?id=1727717

3 comments:

EJ said...

It seems like some of these flaws could be reduced if their API's required that a private key be added to calls to the Open API, in addition to the authentication key delivered via JavaScript. All calls to Facebook would be done on the server side, which would take the token + private key and make authenticated requests (Open ID style). That way, if a 3rd part got ahold of the token, it wouldn't have full access to the API.

john said...

That URL to opt out of instant personalization doesn't work. From the Privacy Settings page, click "Edit your settings" under "Applications and Websites," then on the next page, click "Edit your settings" under "Instant Personalization."

sashastri said...

Hey, nice site you have here! Keep up the excellent work!

Personalization

Post a Comment