A vulnerability in the Facebook Application API allows the construction of a
malicious Facebook application that collects user's personal information
including: Full name, profile picture and friends list. Full name and
picture of the friends are also accessible. The information is collected
without user knowledge or consent.

It is possible to launch the attack via an HTML IMG tag which greatly
increases the severity of the breach because there is no need to have the
user access the attacker's site. Instead, any online blog or forum that
allows IMG tags in comments can be used. The user needs only to load the
relevant page to launch the attack. The attack elegantly ends with a valid
image so the page renders normally, and the attacked user does not notice
that anything peculiar has happened

This amounts to a unique kind of CSRF attack in which both the user's
browser is tricked into performing an action without user consent (divulging
personal information), and the attacker's server is the direct recipient of
this action (via the Facebook app server).

Demonstration and discussion of the attack:
   http://blog.quaji.com/2009/07/facebook-personal-info-leak.html

Full disclosure and details:
   http://blog.quaji.com/2009/08/facebook-csrf-attack-full-disclosure.html


The specific vulnerability used here has just been patched by Facebook, but
it's likely that it is still possible to launch this type of attack using
other mechanisms and other social networks.


Ronen Zilberman
http://quaji.com