The way Facebook Notes handles HTML image tags could could give an attacker the ability to launch distributed denial of service attacks against external sources, using the power of the massive network to amplify the attack.
Facebook Notes is a sort of Tumblr-like internal blogging feature built into the world’s largest social network. It lets users write, edit, and publish content in excess of Facebook’s 63,206 character limit imposed on status updates. Facebook lets users embed various HTML tags into their notes. However, the way that Facebook processes <img> tags could present serious problems for the sources and hosts of those images.
Independent researcher Chaman Thapa wrote on his personal blog earlier this week that whenever an <img> tag is used in Facebook Notes, the social network crawls the image from the external server where it is stored and caches the image. He explains that Facebook only caches each image once, but the cached version can be bypassed using random get parameters – essentially tricking Facebook into thinking that one image is multiple images and causing the service to crawl the source of that single image as many times as there are random get parameters targeting it. Thapa claims that bigger files, like PDFs or videos, could amplify the attack.
Given enough get requests, this could create a denial-of-service condition for the server hosting the image file being crawled. With limited computing resources, Thapa managed to generate 900 Mbps of outgoing traffic by compelling Facebook to crawl a 13 MB PDF file. Thapa claims that 12 of Facebook’s servers attempted to fetch the PDF file some 180,000 times.
Thapa reported the bug to Facebook. At first, he said, the company misunderstood the vulnerability, thinking it could only cause a 404 error, and that such an error did not constitute a high-impact bug. After some back and forth between Thapa and Facebook’s security team, the social network eventually conceded that the bug does in fact exist. They also told Thapa that his bug did not qualify for a bug bounty payment because they had no intention of fixing it:
“In the end, the conclusion is that there’s no real way to fix this that would stop ‘attacks’ against small consumer grade sites without also significantly degrading the overall functionality,” Thapa cites Facebook as having said. “Unfortunately, so-called ‘won’t fix’ items aren’t eligible under the bug bounty program, so there won’t be a reward for this issue.”
The representative did however offer the following consolation to Thapa:
“I want to acknowledge, however, both that I think your proposed attack is interesting/creative and that you clearly put a lot of work into researching and reporting the issue last month. That IS appreciated and we do hope that you’ll continue to submit any future security issues you find to the Facebook bug bounty program.”
Thapa says he reported the bug to Facebook on March 3. The above correspondence took place on April 11.
A Facebook spokesperson confirmed Thapa’s account of events to Threatpost.
“We appreciated this report and discussed it at some length. Ultimately, we decided against making changes to avoid disrupting intended and desirable functions,” the spokesperson said.
Thapa wrote that he is unsure about why Facebook is choosing not to fix his bug. A source with technical understanding of bugs like this one explained to Threatpost that if a site were to receive large amounts of traffic in this manner, rate-limiting or disabling based on the user agent would be an effective defense.
“I’m not sure why they are not fixing this,” Thapa wrote. “Supporting dynamic links in image tags could be a problem and I’m not a big fan of it. I think a manual upload would satisfy the need of users if they want to have dynamically generated image on the notes.”