← All talks

BSidesMCR 2019: Metadata Piggybacking: A Look Into Open Graph Abuse - Charlie Hosier

BSides Manchester22:2499 viewsPublished 2019-09Watch on YouTube ↗
Show transcript [en]

okay hi thank you for coming to see my talk metadata piggybacking a look into Open Graph abuse so Who am I this is my first talk a conference I'm soon to be a genius security consultant at MCC group I start on Monday so it's an exciting time and the parts have done a lot with the cyber security challenge part of the team UK and we're completing in Bucharest in October so what is Open Graph so the definition the Open Graph protocol is simply a method of including meta information in a webpage to allow Facebook to accurately represent the pages content when it is linked to in Facebook essentially if you've ever sent a link on a social media platform and it

kind of turns that link into more of a sort of pretty kind of object that you can look at this is the Open Graph protocol so it's history it was first introduced in 2010 it was created by Facebook for Facebook to do this but now it's widely used by most social media outlets so Twitter discs are like any sort of application where you can send a link will most likely used Open Graph some applications have developed their own versions for example you can use Twitter cards and this will create these kind of objects from us specifically for certain applications so its purpose it allows a social media platform to create an aesthetically pleasing kind of object

so instead of sending a raw hyperlink you can send something that kind you can look at it looks a bit better on the application but it also gives you an insight into the information that the page you'll visit sort of the information that's on it and sort of what content might be displayed so how it works so in your HTML you will have your head tags within these head tags you can put these metadata tags and if you set the property to one of the Graff property tax which is OG title G URL OG description there are a few more which you can use to begin to customize these and then what happens is you have

a parser when you post a link on the social media platform the pass will crawl your page look for these meta property tags and then it will create the object based off of these tags that are there so here you can see so this is your HTML and then within that you have the meta property tags so you've got all of these which are all tax which can be used in a metadata object in an open graph object an interesting on this particular example you can also see the Twitter cards which I mentioned as well and that's how it looks within the HTML so how it looks so on Facebook front for instance once you post all of these Open

Graph objects or once you post a link it will come up like this so this is B size Manchester so you have from the metadata attacked you have G image which is the big image that you can see you then have a title a description and you can also customize it in a few other ways as well but this is the sort of basic kind of Open Graph object and how it worked so the passes so different applications will have different passes so when you post a link will crawl your website and it will like it will find the tags which is going to use for the Open Graph object so here Facebook you can

determine these using the user agent so Facebook will have Facebook external hit Twitter is Twitter bot and then this guard is this fell off and the different applications will use different bots so what you can begin to do as well is if you have a website and you want to see who's speaking about your website so you can begin to sort of footprint who which sites your website has been posted on based on the user agent of the bots that will then crawl your website so abusing the passes so we want to look into abusing this and how we can sort of control these objects so we've got these traditional spoof and methods so since

these objects are basically created from the jemelle code on a website there's nothing stopping you basically ripping the tags from one website and putting them on your own and then creating your own object of that particular website so first for example here we have B size Manchester and then the metadata property tags that are there and then I put them on my own website reverse textile info / spoofed PHP and you can see that the object that's been created is pretty much the same however you apart from this sort of URL the objects the same so this introduced the URL visibility so what is stopping you from just basically making an object look exactly like sort of one website and

then when you click it you go to the other website is this URL visibility so when you merely just rip the metadata from one site and put it on your own you have this which is stopping this kind of spoofing and it's this string of text that kind of stops that so introducing metadata piggybacking so what if we can actually control that URL visibility in order to so that we can create a Open Graph object which looks like exactly like one website but when you flick it or redirect elsewhere the idea of piggybacking is that I go from when you do Wi-Fi piggyback in this is kinda using someone else's Wi-Fi you're not necessarily stealing anything from

anyone else you're just using it and that's why I've sort of used the term piggybacking because with this we're going to be using someone else's metadata tags but we're not actually going to be taking them and putting them anywhere else it's just a case of redirecting to them so just a quick look at a few past past issues our functionality often these passes will follow redirects so this is probably for the reason that if you post a link to a site over HTTP it most likely redirects to HTTPS so the path will follow that redirect because it wants to pass the our code and not just a page which has the 301 redirect on but then what it

will do is it will set the URL visibility in the object to the place that it's finally reached so if it follows a redirect chain it will then put the URL that it reaches at the end of the redirect in the object which is fine however if we combine this with the fact that Open Graph objects are often cached in applications so to avoid overworking sort of these processes the web application will cache the object so that if one person sends a link to Twitter for example or a Twitter post and then another person sends a link to the same Twitter post and this you know and lots of people are talking about this particular Twitter post then

you're not going to have a bot which keeps in Twitter you've done it once and then it will reach into the cache for this object however when you combine these two things together it creates a kind of issue so what it allows us to do is it allows us to create these malicious objects so here you've got an Open Graph objects of be sized Manchester however essentially once you click it you're capable of changing where it goes to so that it will redirect to a malicious site so the process of doing this is fairly easy and straightforward first we create a web page which redirects to the site that target site so if we're trying to mimic

for example Facebook I just redirect Facebook on my website so then when the bot crawls my website it follows the redirect then passes the HTML the tags for Facebook with them so we then post a link onto the social media platform and the bot will call this and it will create the Open Graph object and then all we need to do is simply change the redirect so now instead of redirect into Facebook it redirects elsewhere so that the because the Open Graph object is cached when a user then sees that Open Graph object they're gonna see that it looks like it redirects to Facebook but actually it'll redirect elsewhere so this is what the final result looks

like so here for example example I've got a link to a YouTube video and when you click the information it comes up so everything about this particular open graph object appears to be redirect into YouTube and you can see that the URL visibility as well as in youtube.com except once you actually visit the link it goes elsewhere and you've been heartened so this works cross-platform as well the open graph object is the open graph protocol has been designed to work cross-platform and that means this attack also works however on certain mobile applications sometimes if you have a YouTube video it will open it in the YouTube app other times it will work as as I've just demonstrated

so gaining trust so the problem with this is that these open graph objects generated server-side so as a user you know that that objects been generated by the application and therefore you're more likely to trust that link and Trust where it's saying the link is gonna go to and because of the URL visibility which comes up and you're like okay that's the final destination it kind of legitimizes the link that you're visiting and if we can control that URL visibility like I've demonstrated then it's kind of difficult because the user now has the trust of the application and where it's going and then if you take them elsewhere they're less likely to check that they're actually being taken

to a website which is the web site in the open graph object so yeah so why is this an issue so if your user implicitly trust to link they're visiting then you can deliver malicious content and phishing you can also use the objects as an aid to the engineering process because it looks exactly how your so if you are tagged in Facebook front for instance in a phishing campaign it looks like that link that is a Facebook link is a link to Facebook so then you can use that in your social engineering and you can also use this to bypass certain controls so you've got link feel for fishing and then using this Open Graph redirect because you'll not

initially sending the link to the fishing site straightaway but instead it caches it and then you change the redirects then redirect to the fishing site you can bypass link filters of this sort okay so who is affected so if we just have a look at which applications are affected by this issue and this sort of brings up a few different ways that the applications are dealing with it however it appears that with this sort of quite minor thing a lot of applications seem to be to be vulnerable so for discard so discard yet it creates an open graph object however with this card there isn't a URL visible in the open graph object so when you send the

link it creates you create an open graph objects but within the object you have no URL visibility however with this card you can't send only the open graph object you have to send the hyperlink as well as the open graph object which means that the user can always see the exact link that they are actually visiting Facebook Facebook you can send an open graph object the URL visibility is of the final destination after a redirect which means you can do the sort of you can change where it looks like it's going to and then it also sends only the open graph object slack that's interesting because you can send an open graph object it shows the URL visibility after the

redirect however with slack you have to send the hyperlink the message the link that it's going to initially however if you just go back and edit the message then you no longer need to send the message and the open graph object will remain on the platform and Twitter and LinkedIn a similar to Facebook in the sense that you can boast you can send an open graph object you have the URL visibility and you can also send only an open graph object so just a few examples you've got discards so here you can see that the top one is the legitimate link to these lunch and the bottom one is my evil dot php' and you can see that the Open Graph

object that's created is exactly the same however you have to send the hyperlink alongside the Open Graph object Facebook again here there's no difference between the two Open Graph objects however one of them redirects to a malicious page and the other doesn't slack here's the example of snac so on the left you have the original link to be size Manchester and then on the right on the top you have the original message that you send and you have to send the hyperlink alongside it however then if you just edit the message you no longer have the hyperlink and the you are at the Open Graph object has the URL visibility of B size Manchester yet it

redirects elsewhere again Twitter similar to Facebook the Open Graph objects are exactly the same and finally linked in the Open Graph objects again are the same here I thought I put this in because it threw me off when I was doing this and creating these Open Graph objects when I first posted the be size Manchester link it came up with the Open Graph object for B size Manchester 2017 which was interesting I just thought I'd use it as a demonstration of the caching so up until that point if you posted a link to the B size Manchester page it would always have come up with that particular object even though the actual content and the Open Graph object that should

have been created was this one so the impact it's often the impact of this doesn't necessarily affect the vendor themselves but it's the sort of their users data that's at risk so if they're sort of if it's that their users and are being attacked and it's their like email that an attacker is trying to get then it's actually the vendors application sort of delivery delivery method and because it creates these Open Graph objects and you control the URL visibility they can gain trust quite easily however if it's being used to bypass link filters this is when it so I'll go through a quick use case so the technique would most likely be used to deliver a phishing campaign however

it can also be used to sort of bypass link filters other as I've said so me wrong-o 98 this is a twitter account who absolutely loves the Guardian all down their Twitter feed links to the Guardian and if we take one so this is are you enjoying your city break the Guardian com if we look at the redirect chain for this you can see that it goes through and sort of Twitter's URL shortening to rebrand ly to another so it's a shortened link and then finally to Bissell Fenian blah blah blah blah which certainly isn't the Guardian and what they've done here is they've used the service rebrand ly to set a redirect first to the Guardian site and then post

the link on Twitter and then afterwards they've then changed the redirect so that it now redirects to this link instead and rebrand now why is a service that basically allows you to shorten URLs but then you can go in and change where the shortened URL redirects to who wants to see what blissful Fenian actually is so this is blissful Fenian actually is so certainly not are you enjoying your city break my wife says so I'll just quickly touch on the industry response I reported this to both Facebook and Twitter and both of them have sort of said it's not really critical enough to fix but my argument is that it's not necessarily affecting you but your users data is at risk

because the majority of people would see one of these Open Graph objects and sincerely trust that it's going to redirect them and take them to where the URL visibility says so yes so some key takeaways so when it's so easy to create these malicious objects we need to be sort of have an understanding that just because it's created server-side it's not necessarily going to take this exactly where we think it's gonna take us and then the impact the impact of this isn't necessarily the platform which has the issue because if they're using that platform as a method of delivery then it's kind of everyone's issue and the trust we have on these objects is quite

there's quite a lot and finally this technique is being used in the world and given that the trust of the user has on the Open Graph objects if it was to be used in a phishing campaign I'd expect it to be kind of extremely would be very good very effective so I just want to say a few credits thank you to you and who let me basically spam him with tons of messages trying this technique out and also a guy dude I'm a wizard there's a zero fox blog post about the Open Graph protocol and abusing it and I did this research sort of quite a while ago and then came across this blog post read it and was

like oh actually maybe I should look into it a little bit man that's why I'm giving this presentation so definitely go and check out that blog post if you're interested and thank you this my twitter tag cupcake ninja if you want to add me on Twitter but otherwise yeah thank you and if there's any questions I'll answer them the best I can [Applause] yes done for the redirect stuff well it only like well the partially follow resurrect evidence I've got 301 moved permanently on what idea to like create by something scrapped on the initial redirect to only redirect like I said use your agent then instead of like gum setting it up with lieutenant age

waiting for the parse it and then James you could just set it up from the start you die right here just redirect it's like these user uses something new would be launchers and send the other moments to the action that's just one like without marker without just policy initially I mean so the question is can you solve filter out based on the user agent and redirect given a certain user agent instead of just doing it for all users yeah absolutely so if those different BOTS have the user agents and on your server side you can then filter out based on which user agent and you can serve legitimate content to a user and if you want to serve the malicious

redirect to create the object to the Facebook but for example yeah absolutely you can do that yes mark yes showed us that it was affected by big companies like Facebook and so when of course it's a big problem but I found many ways to protect this supposed to Krishna like how can you detect yeah yeah so yeah I guess I found it really difficult to detect it given the amount of links that are being you know like from my perspective and seeing the actual whether it's being used in the world that was quite a difficult thing to find because how would you go about finding links which actually by nature designed to look like over link see so

it's kind of difficult but in terms of actually fixing the issue it would be simple enough to just make sure that the URL that is posted by the user is is visible either within the Open Graph object or like discard where they send the URL alongside the Open Graph objects and then this sort of technique doesn't is you wouldn't be able to do it anymore so it could you control the sort of cache ability so mates so yeah I bags that you can Facebook you can actually there's a part of the Facebook API which allows you to refresh the cache of these objects so if you want if you've updated your website and you want the cache on Facebook to be

refreshed you can manually go in and request for it to be refreshed but yeah absolutely you could set the the time of these Open Graph objects to cache sort of fresh after about the time yeah you'd be able to do that with us down to the vendor okay well thank you very much [Applause]

Related talks

39:16
BSidesMCR 2018: Next Gen AV vs My Shitty Code by James Williams
BSides Manchester
42:21
Hacking Wireless Home Security Systems
BSides Manchester · 2017
46:25
BSidesMCR 2018: Practical Web Cache Poisoning: Redefining 'Unexploitable' by James Kettle
BSides Manchester
47:26
BSidesMCR 2018: It's A PHP Unserialization Vulnerability Jim, But Not As We Know It by Sam Thomas
BSides Manchester
46:12
BSidesMCR 2019: HTTP Desync Attacks: Smashing Into The Cell Next Door - James Kettle
BSides Manchester
48:32
DOM Based Angular Sandbox Escapes
BSides Manchester · 2017