Adrienne Felt, Pieter Hooimeijer, David Evans, Westley Weimer.
First International Workshop on Social Network Systems, Glasgow, Scotland, April 2008. (PDF, 6 pages)
Social networks are increasingly supporting external content integration with platforms such as OpenSocial and the Facebook API. These platforms let users embed third-party applications in their profiles and are a popular example of a mashup. Content integration is often accomplished by proxying the third-party content or importing third-party scripts. However, these methods introduce serious risks of user impersonation and data exposure. Modern browsers provide no mechanism to differentiate between trusted and untrusted embedded content. As a result, content providers are forced to trust third-party scripts or ensure user safety by means of server-side code sanitization. We demonstrate the difficulties of server-side code filtering — and the ramifications of its failure — with an example from the Facebook Platform. We then propose browser modifications that would distinguish between trusted and untrusted content and enforce their separation.
The Facebook Chronicles (provides details on the cross-site scripting vulnerability described in Section 3 of the paper)
Related white paper: Adrienne Felt, Defacing Facebook: A Security Case Study [PDF], August 2007.
In a related project, we are also exploring Privacy Protection for Social Networking APIs.