Hackers can apparently exploit vulnerabilities in Facebook and Google to perform distributed denial-of-service (DDoS) attacks on target websites — and neither Internet giant seems overly concerned, according to the developer that alerted the two companies to the problems.
"Both of the problems are quite serious for two reasons: 1) the ease in which the attacks can be executed and 2) the huge traffic volume these kinds of attacks can potentially generate.
The traffic would be very troublesome for most websites. Both Facebook and Google individually are close to Gigabits per second, maybe more. Combining them would be even more devastating," Chaman Thapa told CMSWire.
Thapa, "a software enthusiast who loves programming and solving problems," detailed the problems he uncovered with both sites on A Programmer's Blog and the DEFCON Hacking Page on Facebook. He claims Google Spreadsheets and Facebook Notes can be used to "DDoS any website."
And neither Facebook nor Google are arguing that Thapa is wrong.
The warning comes just weeks after hackers used a novel technique to get thousands of online video viewers to unwittingly bombard a B2B website with junk traffic. Incapsula, a web security firm, said the attack resulted from a persistent cross-site scripting (XSS) vulnerability on one of the biggest and most popular video sites on the web.
Last week, Incapsula co-founder Marc Gaffan refuted popular misconceptions that the site in question was either Youtube.com or Xvideo.com. Rather, he announced, it was Sohu.com, China’s eighth largest website and the 27th most visited website in the world.
"Sohu was exploited in such a way that its visitors were herded into becoming a giant botnet that was used to attack others and the volume of attackers made hard to defend against," Gaffan told CMSWire.
With the Facebook and Google bugs, an attacker does not have to wait for end-users to visit the Notes or Spreadsheet. As Chaman explained:
The attacker is hiding behind Facebook and Google’s bandwidth to do a traffic amplification attack. So an attacker will be generating a 20 Mbps load on Facebook, but that in return will consume the bandwidth at the rate of several hundred Mbps on the target side. There is no need to use any social engineering tactics to lure people to click on Notes, but if one does then the attack may be even more devastating as more Facebook servers that are geographically spread might then be involved in the attack."
While the technical details are different, they are equally worrisome to brands and companies that could become potential victims of the hacks.
'It's Not a Bug'
Chaman reported the vulnerabilities to both Facebook and Google. Both companies have bug bounty problems, which reward security researchers for warning about potential threats. Both companies thanked him for his interest, but denied the issues were really "bugs."
Google termed the issue a potential brute force denial of service, which isn't included in its bug bounty program. It has a fix, but has not yet confirmed if it has been deployed.
Facebook told him:
Thank you for being patient and I apologize for the long delay here. This issue was discussed, bumped to another team, discussed some more, etc. In the end, the conclusion is that there’s no real way to us fix this that would stop 'attacks' against small consumer grade sites without also significantly degrading the overall functionality. Unfortunately, so-called 'won’t fix' items aren’t eligible under the bug bounty program, so there won’t be a reward for this issue. I want to acknowledge, however, both that I think your proposed attack is interesting/creative and that you clearly put a lot of work into researching and reporting the issue last month. That IS appreciated and we do hope that you’ll continue to submit any future security issues you find to the Facebook bug bounty program."
Contacted today by CMSWire, a Facebook spokesperson confirmed that it "appreciated this report and discussed it at some length." But ultimately the company decided against making changes to avoid disrupting intended and desirable functions.
In other words, fixing the bug might interfere with your ability to, say, upload your latest selfie?
Google has not yet responded to requests for comment.
So if you have a website — or responsibility for marketing a brand or company online — what should you do?
"Many small-to-medium businesses and blogs can be affected by these kinds of issues. And it can be frustrating for the targets to have these kinds of attacks from legitimate sources like Facebook and Google," Chaman said.
Websites can protect themselves by blocking the Facebook and Google useragents as they announce themselves as facebookexternalhit and feedfetcher-google, he added.
While these issues may not technically qualify under the Facebook and Google bounty programs, Incapsula's Gaffan said he "strongly believes that if these exploitations become widely used, Facebook and Google (and other services that have similar functions) will have to deal with it."
Here are some things Gaffan said can be done by such services to avoid being exploited:
- Allow webmasters to add something like "DISABLE STATIC RESOURCE QUERIES" or "DISABLE REQUEST FROM NOTES" to robots.txt (or via another API)
- Limit the number of <img> tags in a Note.
- Limit the number of <img> tags per-domain in a Note.
- Disable third party resource fetching in Notes
- Rate-limit User/Session/IP access to safe_image.php
Here are some things that can be done by such services to help DDoS mitigation services or the target website owners defend against such exploitation:
- Add "Requesting IP/User" to the request header
- Add "Request for a Note" to the request header
What happens next is anyone's guess. But some people, like Joey Fontiveros, apparently already know. As he wrote on the DEFCON Hacking Conference page, "Now it's my turn to play with it. Nice one!"