Security/Reviews/Gaia/FacebookIntegration: Difference between revisions
No edit summary |
(Adding some comments about datastore api) |
||
| Line 162: | Line 162: | ||
The Facebook integration code caches Facebook contacts. It caches the raw Facebook API record, which might contain a bit more info than is actually used by Gaia for the contacts. | The Facebook integration code caches Facebook contacts. It caches the raw Facebook API record, which might contain a bit more info than is actually used by Gaia for the contacts. | ||
This [https://developer.mozilla.org/en-US/docs/Web/API/Data_Store_API datastore] can be access just from certified apps, that means Firefox OS core apps like dialer or sms. | |||
It also stores the OAuth token in <code>asyncStorage</code>. (Async wrapper around IndexedDB) | It also stores the OAuth token in <code>asyncStorage</code>. (Async wrapper around IndexedDB) | ||
A number of basic bookkeeping values are also stored in <code>asyncStorage</code>, like the number of facebook friends, the time last updated, etc. | A number of basic bookkeeping values are also stored in <code>asyncStorage</code>, like the number of facebook friends, the time last updated, etc. | ||
That data as it's on an indexedDB cannot be used outside the application scope. | |||
====4. Denial of Service ==== | ====4. Denial of Service ==== | ||
Latest revision as of 23:46, 26 March 2015
App Review Details
- App: Facebook Integration
- Review Date: November 22th 2013
- Review Lead: Stéphanie Ouillon
- Bugs: https://bugzilla.mozilla.org/showdependencytree.cgi?id=847929&hide_resolved=0
{bug|941199}
- Reviewed branch: master
- Latest commit: https://github.com/mozilla-b2g/gaia/commit/9470d15828db48a5558c63a3d9981df9e72eb624
Overview
The Facebook integration code is primarily about integrating Facebook in the Contacts application. It allows you to import Facebook contacts and after that also use Facebook features from the Contacts app.
Imported contacts from Facebook have lots of meta data in the Gaia contacts database: birthday, email addresses, phone numbers, addresses and profile picture.
When on a contact detail page in the contacts app, a Facebook contact will have three additional options:
- Send Private Message
- Post to Wall
- View Facebook Profile
We do not provide UI for those features. They are simply opening up a page at https://m.facebook.com instead.
The connection to Facebook can be triggered in three ways:
- In the FTU code there is a screen that asks if you want to connect to Facebook
- In the Contacts app settings screen you can flip a switch to enable Facebook
- The dialer app allows you to open the Contacts list, which allows you to get to the settings
(Mentioning the dialer here is relevant since all apps are really the same Communications app)
In this case, 'connecting to facebook' really means that we ask the user to login to facebook and then connect to the custom Facebook app hosted by the partner. That will give us an OAuth token which can be used for further API calls to Facebook.
Architecture
Components
The Facebook integration consists of a number of html pages for import contacts and an alarm handler to periodically sync in the background.
Relevant Source Code
The main source code is contained at:
- https://github.com/mozilla-b2g/gaia/tree/master/apps/communications/facebook/
- https://github.com/mozilla-b2g/gaia/tree/master/apps/communications/contacts/js/fb/
The following files have been looked at for this review:
In communications:
- ./contacts/js/fb/fb_contact.js - Encapsulates the logic to obtain the data for a DB Contact
- ./contacts/js/fb/fb_contact_utils.js - Utilities to get/display contacts info
- ./contacts/js/fb/fb_data.js - Defines proxy methods for fb_data_reader
- ./contacts/js/fb/fb_init.js - Load contacts/config.json settings for facebook
- ./contacts/js/fb/fb_link.js - Ask a contact to be a Facebook FB and manages proposals
- ./contacts/js/fb/fb_link_init.js
- ./contacts/js/fb/fb_messaging.js - Post a message on the wall, send a private message
- ./contacts/js/fb/fb_query.js - Performs FQL queries through FB APIs to get friends
- ./contacts/js/fb/fb_utils.js
- ./contacts/js/fb/friends_list.js - Friends list renderer
Sync Facebook friends (update an existing imported contacts list):
- ./facebook/js/console.js - Send log/error post messages
- ./facebook/js/curtain.js - UI to display state messages when authenticating to FB (fb_oauth_frame) and when searching contacts (contacts/js/fb/fb_link.js)
- ./facebook/js/facebook_connector.js - Handles retrieved contacts data from FB
- ./facebook/js/fb_oauth_frame.js
- ./facebook/js/fb_sync.js - starts the worker for sync and save the new data to cache
- ./facebook/js/fb_sync_init.js - Manages alarms to wake up FB sync
- ./facebook/js/sync_worker.js - process the queries to sync data
[[File:Facebook_sync_friends.jpg|700px]]
- ./ftu/js/services_launcher.js
Shared code (using the DataStore API in Contacts and later in Sms:):
- shared/js/fb/fb_data_reader.js - Reader module for FB data in Datastore
- shared/js/fb/fb_reader_utils.js
- shared/js/fb/fb_request.js - request auxiliary object to support asynchronous calls
- shared/js/fb/fb_tel_index.js - Prefix tree for FB tel numbers
Permissions
Web Activity Handlers
Web Activity Usage
redirections:
"redirects": [
{"from": "facebook",
"to": "/redirects/redirect.html"},
{"from": "facebook_dialogs",
"to": "/redirects/dialogs_end.html"},
{"from": "facebook_logout",
"to": "/redirects/logout.json"},
],
The destinations of these redirections are specified in /build/communications_services.json.
System messages
alarms:
"messages": [
{ "alarm": "/facebook/fb_sync.html" },
],
Used in fb_sync_init.js : alarm to wake up a FB sync
Post Messages
Post Messages are used internally in the scope of app://communications.gaiamobile.org.
Notable Event Handlers
Facebook Permissions
The Facebook app for Contacts requires the following permissions:
- Your basic info
- Friend's profile info; descriptions, birthdays, hometowns, locations and work histories
Code Review Notes
1. XSS & HTML Injection attacks
The facebook integration code borrows a really nice template engine from the Contacts app. Unfortunately the template engine does no HTML escaping. This means that the code calling the engine MUST be absolutely sure that the content that will be put in the template is already properly sanitized.
TODO I do not think the data taken from Facebook API is sanitized before it is inserted into the document. Is it fair to assume that Facebook cleans up things? I doubt it.
2. Secure Communications
The code talks to the following Facebook APIs:
- To get friends: https://graph.facebook.com/fql?q= + query
- For posting to user’s wall: https://graph.facebook.com/#/feed?method=POST
- For posting to the wall: https://m.facebook.com/dialog/feed?
- For sending private message: https://m.facebook.com/compose_message/?uid=
- For getting a contact’s image: https://graph.facebook.com/$uid/picture
- For logging out of the service: https://www.facebook.com/logout.php?
There is a serious issue with the OAuth dialog: although the initial request is secure, Facebook redirects us back to an insecure login.php page. That page and its assets, including scripts, are all loaded over an unsecure connection. The entered credentials are posted back over a secure connection but at that point an attacker could already have injected or proxied malicious code in the page.
Each OEM will have to register a Facebook application and that there will be many Facebook applications backing all the different Firefox OS phones.
I am not sure if the app correctly escapes incoming contact data received from the Facebook API. Filed the following bug for someone to confirm:
- bug 851213 Facebook import screen screen does not seem to escape contact data
3. Secure data storage
Uses a datastore:
"datastores-owned": {
"Gaia_Facebook_Friends": {
"description": "Imported Facebook Friends"
}
}
The Facebook integration code caches Facebook contacts. It caches the raw Facebook API record, which might contain a bit more info than is actually used by Gaia for the contacts.
This datastore can be access just from certified apps, that means Firefox OS core apps like dialer or sms.
It also stores the OAuth token in asyncStorage. (Async wrapper around IndexedDB)
A number of basic bookkeeping values are also stored in asyncStorage, like the number of facebook friends, the time last updated, etc.
That data as it's on an indexedDB cannot be used outside the application scope.
4. Denial of Service
5. Use of Privileged APIs
The code uses XMLHTTPRequest with the mozSystem flag to make calls to the Facebook API.
6. Interfaces with other Apps/Content
7. Cross Origin Message Attacks
Security Risks & Mitigating Controls
Summary
Bugs that need attention:
- bug 851213 Facebook import screen screen does not seem to escape contact data