Security/Reviews/Gaia/FacebookIntegration

• App: Facebook Integration
• Review Date: 6th March 2003
• Review Lead: Stefan Arentz

The Facebook integration code is primarily about integrating Facebook in the contacts application. It allows you to import Facebook contacts and after that also use Facebook features from the Contacts app.

Imported contacts from Facebook have lots of meta data in the Gaia contacts database: birthday, email addresses, phone numbers, addresses and profile picture.

When on a contact detail page in the contacts app, a Facebook contact will have three additional options:

• Send Private Message
• Post to Wall
• View Facebook Profile

We do not provide UI for those features. They are simply opening up a page at https://m.facebook.com instead.

The connection to Facebook can be triggered in three ways:

• In the FTU code there is a screen that asks if you want to connect to Facebook
• In the Contacts app settings screen you can flip a switch to enable Facebook
• The dialer app allows you to open the Contacts list, which allows you to get to the settings

(Mentioning the dialer here is relevant since all apps are really the same Communications app)

In this case, 'connecting to facebook' really means that we ask the user to login to facebook and then connect to the custom Facebook app hosted at the Heroku URL. That will give us an OAuth token which can be used for further API calls to Facebook.

Components

The Facebook integration consists of a number of html pages for import contacts and an alarm handler to periodically sync in the background.

Relevant Source Code

The main source code is contained at:

• https://github.com/mozilla-b2g/gaia/tree/v1-train/apps/communications/facebook/
• https://github.com/mozilla-b2g/gaia/tree/v1-train/apps/communications/contacts/js/fb/

The following files have been looked at for this review:

• communications/contacts/js/fb/fb_contact.js
• communications/contacts/js/fb/fb_contact_utils.js
• communications/contacts/js/fb/fb_data.js
• communications/contacts/js/fb/fb_import.js
• communications/contacts/js/fb/fb_import_init.js
• communications/contacts/js/fb/fb_init.js
• communications/contacts/js/fb/fb_link.js
• communications/contacts/js/fb/fb_link_init.js
• communications/contacts/js/fb/fb_messaging.js
• communications/contacts/js/fb/fb_oauth.js
• communications/contacts/js/fb/fb_query.js
• communications/contacts/js/fb/fb_utils.js
• communications/contacts/js/fb/friends_list.js

• communications/facebook/js/console.js
• communications/facebook/js/curtain.js
• communications/facebook/js/fb_oauth_frame.js
• communications/facebook/js/fb_sync.js
• communications/facebook/js/fb_sync_init.js
• communications/facebook/js/sync_worker.js

• communications/ftu/js/fb_launcher.js

Permissions

Web Activity Handlers

Web Activity Usage

Notable Event Handlers

Facebook Permissions

The Facebook app for Contacts requires the following permissions:

• Your basic info
• Friend's profile info; descriptions, birthdays, hometowns, locations and work histories

1. XSS & HTML Injection attacks

2. Secure Communications

The code talks to the following Facebook APIs:

• https://m.facebook.com/dialog/oauth/
• https://api.facebook.com/method/phonebook.lookup
• https://graph.facebook.com/#/feed?method=POST
• https://m.facebook.com/chat/messages.php
• https://graph.facebook.com/$uid/picture
• https://www.facebook.com/logout.php

There is a serious issue with the OAuth dialog: although the initial request is secure, Facebook redirects us back to an insecure login.php page. That page and its assets, including scripts, are all loaded over an unsecure connection. The entered credentials are posted back over a secure connection but at that point an attacker could already have injected or proxied malicious code in the page.

• bug 835983 - Facebook defaults to WAP and loads insecure content
• Request trace at http://st3fan.pastebin.mozilla.org/2179505

It also talks to the following OAuth helper:

• http://intense-tundra-4122.herokuapp.com/fbowd/oauth2/flow2.html
• http://intense-tundra-4122.herokuapp.com/fbowd/dialogs_end.html
• http://intense-tundra-4122.herokuapp.com/fbowd/logout.json

The above server is for development only. It is expected that OEMs of Gaia will host their own.

This also means that each OEM will have to register a Facebook application and that there will be many Facebook applications backing all the different Firefox OS phones.

3. Secure data storage

4. Denial of Service

5. Use of Privileged APIs

6. Interfaces with other Apps/Content

7. Cross Origin Message Attacks

When the Facebook connect page is open, the frame hierarchy looks something like this:

(This is when the Facebook integration was started by clicking the Contacts button in the Dialer)

1 app://communications.gaiamobile.org/dialer/index.html#contacts-view
2-- app://communications.gaiamobile.org/contacts/index.html
3---- app://communications.gaiamobile.org/facebook/fb_oauth.html
4------ http://m.facebook.com

All these iframes depend on postMessage for inter-iframe communication.

A major issue here is that none of the iframes check the origin of the received message; this means that Facebook can use postMessage() to send messages all the way up to the Dialer app.

A proof of concept can be found in the following bug, where JavaScript code that is run in the m.facebook.com iframe can trigger a Missed Call Notification in the Dialer application.

• bug 845487 Dialer responds to cross-origin messages without verifying the source

Although that bug mentions the DIaler, the bug is really in the Facebook integration code I think. This can be avoided by uing the proper mozbrowser property on the facebook iframe and not depend on postMessage to communicate the OAuth token back.