Title: Facebook Inbox Message Disclosure Vulnerability
Published: June 24th 2010
Credit: Ryan MacDonald
Severity: Information/Privacy Disclosure
Vulnerable: Facebook Messaging System BigPipe Performance Pipelining
Summary: A vulnerability exists in facebooks messaging system that allows an attacker to view the addressed users, subject and inbox preview text (120 characters) of message contents for recently sent/received messages (last 6) on a users account.
Technical Details: BigPipe Pipeling java script code embedded into the source code of ALL PAGES under the “messages” section on facebook, preloads message data that can be arbitrarily read through malicious client side java script or other client side objects. The offending java script specifically is the big_pipe.onPageletArrive call to mailBoxItems value. This object loads into the source of the page, data for messages contained within the users inbox, including sender, receiver, subject and inbox preview text of message contents.

The impact of this vulnerability is limited by the preview text being 120 characters in length (excluding subject and sender/receiver names) and only the last 6 messages being contained in the mailBoxItems value. However, this should not detract from the seriousness of the vulnerability as an attacker can and would still gain intimate knowledge of a users recent activity including otherwise private/sensitive message contents.

Successful exploitation of this vulnerability requires that the target user click a link of some form in order to initiate the malicious javascript or object, however this is easily achievable with misleading and enticing links. The simplest exploitation of this vulnerability would take the form of a malicious user sending a link that when clicked by the recipient, would read the exposed portion of the parent windows source code and send it to a remote destination, or facebooks own messaging system can be invoked by the java script to automatically send the source contents back as a reply.