Friday, May 25, 2012

Yahoo and Facebook team up to snarf usage data

Yahoo now requires you sign an agreement when you use their comment system to leave comments on political news.  The agreement gives them the right to use any Facebook data they deem necessary and naturally they exclude themselves from all liability in taking and using whatever data they want.  If you haven't already clicked through the agreement blindly you may want to check it out and read the agreement text.

Yahoo and Facebook use "nonce" which is a one time usage key assigned to a user for a specific session which generally changes with time.  This is to stop cookie replay or man in the middle attacks but do nothing useful against "boy in the browser" attacks or XSRF.  XSRF is particularly useful in exploiting sites like Facebook, Google, Yahoo etc. which keep you logged in 24x7x365 unless you explicitly log out.  Facebook thoughtfully keeps you logged in even when you log out because they know you really don't ever want to leave...

The downside with sites like YouTube/Gmail and Facebook is that if you poke around Anonymous posts long enough you will find that they are actively exploiting your perpetually logged in status and the nonce system does nothing to stop your browser from making the evil request on your behalf. I found a link posted by an Anon member which opened up blogger.com and activated the change-password page.  But this issue illustrates a point with the danger of the perpetual login-session which all of the big-brother style systems are implementing.  When sites keep you perpetually logged-in in order to watch your behavior and to provide "convenience" then they are keeping themselves open to the possibility of a world-wide breach which could be exploited quickly to reach 100% of systems that view the poisoned page.

At least with a boy in the browser type of attack, attackers are limited to doing what Facebook and others already do... gain personal info about you or using your account for spam.  There is a small measure that sites can provide which stops the boy-in-the-browser attack which is for the developers to keep the submit button deactivated until keyboard input is received and validated in some way.

When using these super-sites you would be well advised to log out of them before going on a surfing session.