Security/Reviews/Gaia/FacebookIntegration

From MozillaWiki
< Security‎ | Reviews‎ | Gaia
Jump to: navigation, search

App Review Details

{bug|941199}

Overview

The Facebook integration code is primarily about integrating Facebook in the Contacts application. It allows you to import Facebook contacts and after that also use Facebook features from the Contacts app.

Imported contacts from Facebook have lots of meta data in the Gaia contacts database: birthday, email addresses, phone numbers, addresses and profile picture.

When on a contact detail page in the contacts app, a Facebook contact will have three additional options:

  • Send Private Message
  • Post to Wall
  • View Facebook Profile

We do not provide UI for those features. They are simply opening up a page at https://m.facebook.com instead.

The connection to Facebook can be triggered in three ways:

  • In the FTU code there is a screen that asks if you want to connect to Facebook
  • In the Contacts app settings screen you can flip a switch to enable Facebook
  • The dialer app allows you to open the Contacts list, which allows you to get to the settings

(Mentioning the dialer here is relevant since all apps are really the same Communications app)

In this case, 'connecting to facebook' really means that we ask the user to login to facebook and then connect to the custom Facebook app hosted by the partner. That will give us an OAuth token which can be used for further API calls to Facebook.

Architecture

Components

The Facebook integration consists of a number of html pages for import contacts and an alarm handler to periodically sync in the background.

Relevant Source Code

The main source code is contained at:

The following files have been looked at for this review:


In communications:

  • ./contacts/js/fb/fb_contact.js - Encapsulates the logic to obtain the data for a DB Contact
  • ./contacts/js/fb/fb_contact_utils.js - Utilities to get/display contacts info
  • ./contacts/js/fb/fb_data.js - Defines proxy methods for fb_data_reader
  • ./contacts/js/fb/fb_init.js - Load contacts/config.json settings for facebook
  • ./contacts/js/fb/fb_link.js - Ask a contact to be a Facebook FB and manages proposals
  • ./contacts/js/fb/fb_link_init.js
  • ./contacts/js/fb/fb_messaging.js - Post a message on the wall, send a private message
  • ./contacts/js/fb/fb_query.js - Performs FQL queries through FB APIs to get friends
  • ./contacts/js/fb/fb_utils.js
  • ./contacts/js/fb/friends_list.js - Friends list renderer

Facebook api access.jpg

Sync Facebook friends (update an existing imported contacts list):

  • ./facebook/js/console.js - Send log/error post messages
  • ./facebook/js/curtain.js - UI to display state messages when authenticating to FB (fb_oauth_frame) and when searching contacts (contacts/js/fb/fb_link.js)
  • ./facebook/js/facebook_connector.js - Handles retrieved contacts data from FB
  • ./facebook/js/fb_oauth_frame.js
  • ./facebook/js/fb_sync.js - starts the worker for sync and save the new data to cache
  • ./facebook/js/fb_sync_init.js - Manages alarms to wake up FB sync
  • ./facebook/js/sync_worker.js - process the queries to sync data

[[File:Facebook_sync_friends.jpg|700px]‎]

  • ./ftu/js/services_launcher.js

Shared code (using the DataStore API in Contacts and later in Sms:):

  • shared/js/fb/fb_data_reader.js - Reader module for FB data in Datastore
  • shared/js/fb/fb_reader_utils.js
  • shared/js/fb/fb_request.js - request auxiliary object to support asynchronous calls
  • shared/js/fb/fb_tel_index.js - Prefix tree for FB tel numbers


Permissions

Web Activity Handlers

Web Activity Usage

redirections:

 "redirects": [
   {"from": "facebook",
   "to": "/redirects/redirect.html"},
   {"from": "facebook_dialogs",
   "to": "/redirects/dialogs_end.html"},
   {"from": "facebook_logout",
   "to": "/redirects/logout.json"},
 ],  

The destinations of these redirections are specified in /build/communications_services.json<code>.


System messages

alarms:

 "messages": [
    { "alarm": "/facebook/fb_sync.html" },
 ],

Used in <code>fb_sync_init.js : alarm to wake up a FB sync

Post Messages

Post Messages are used internally in the scope of app://communications.gaiamobile.org.

Notable Event Handlers

Facebook Permissions

The Facebook app for Contacts requires the following permissions:

  • Your basic info
  • Friend's profile info; descriptions, birthdays, hometowns, locations and work histories

Code Review Notes

1. XSS & HTML Injection attacks

The facebook integration code borrows a really nice template engine from the Contacts app. Unfortunately the template engine does no HTML escaping. This means that the code calling the engine MUST be absolutely sure that the content that will be put in the template is already properly sanitized.

TODO I do not think the data taken from Facebook API is sanitized before it is inserted into the document. Is it fair to assume that Facebook cleans up things? I doubt it.

2. Secure Communications

The code talks to the following Facebook APIs:

There is a serious issue with the OAuth dialog: although the initial request is secure, Facebook redirects us back to an insecure login.php page. That page and its assets, including scripts, are all loaded over an unsecure connection. The entered credentials are posted back over a secure connection but at that point an attacker could already have injected or proxied malicious code in the page.

Each OEM will have to register a Facebook application and that there will be many Facebook applications backing all the different Firefox OS phones.

I am not sure if the app correctly escapes incoming contact data received from the Facebook API. Filed the following bug for someone to confirm:

  • bug 851213 Facebook import screen screen does not seem to escape contact data

3. Secure data storage

Uses a datastore: "datastores-owned": {

   "Gaia_Facebook_Friends": {
     "description": "Imported Facebook Friends"
   }   
 }


The Facebook integration code caches Facebook contacts. It caches the raw Facebook API record, which might contain a bit more info than is actually used by Gaia for the contacts.

This datastore can be access just from certified apps, that means Firefox OS core apps like dialer or sms.

It also stores the OAuth token in asyncStorage. (Async wrapper around IndexedDB)

A number of basic bookkeeping values are also stored in asyncStorage, like the number of facebook friends, the time last updated, etc.

That data as it's on an indexedDB cannot be used outside the application scope.

4. Denial of Service

5. Use of Privileged APIs

The code uses XMLHTTPRequest with the mozSystem flag to make calls to the Facebook API.

6. Interfaces with other Apps/Content

7. Cross Origin Message Attacks

Security Risks & Mitigating Controls

Summary

Bugs that need attention:

  • bug 851213 Facebook import screen screen does not seem to escape contact data