Facebook Notes Breach—Exploiting Facebook Notes to Launch DDoS Attack

There is a new attack method available for hackers to take down websites, and it is made possible by everyone’s favorite social network.

Facebook has a feature called Notes which allows users to write and post content on their profiles. It’s like having a small blog within the bigger social platform. Unfortunately, Notes contains a HTML problem that gives hackers the capability of easy DDoS with very few resources.

When users create the <img> HTTP tag in Notes, Facebook’s servers make a GET request to the external server that hosts the image, and then caches the image. Typically, it only caches the image once.

Last month and independent researcher discovered that by using random GET parameters, you can dupe Facebook’s servers into requesting the image over and over again. These repeated requests will tax the external server’s network, drain their CPU, and could feasibly take them offline. This DDoS method is called HTTP GET Flood and if not dealt with properly, it could take down even large websites.

With only three laptops the researcher generated over 900 Mbps of attacking strength for several hours by tricking Facebook servers into repeatedly requesting a 13Mb PDF. The researcher also claimed this same method could be used with videos and other larger files, thus amplifying the attack even more.

The researcher reported the problem to Facebook’s ‘bug bounty’ program to see if they would patch the hole.

Facebook’s Response

The response to the bug was not quite what the researcher was expecting. They decided not to fix the bug because it would seriously diminish the quality of Notes. Sorry, no bounty this time. In Facebook’s own words:

“In the end, the conclusion is that there’s no real way to us fix this that would stop “attacks” against small consumer grade sites without also significantly degrading the overall functionality.”

See how the Facebook representative uses quotes around the word “attacks” in his/her reply. The costs of changing the current system outweigh the benefits of removing the bug. They are implying that the bug itself is not much of a threat.

And they may be right. According to experts, such consistent, unvaried requests from Facebook are easy to block with basic defense technology. This attack would only be effective against websites that are unprotected and not careful about security.

There are many more popular attacks at a hacker’s disposal that are more difficult to defend against. For example, DDoS protection service Incapsula recently reported that one of their clients was hit with a DNS Flood in May that reached over 1.5 Billion requests per minute for several hours.

On the other hand, the Facebook Notes vulnerability might not be such a small threat forever. Hackers are always on the quest for new ways of DDoS-ing their targets and this discovery might be a puzzle piece for a more sophisticated attack down the road.

Either way, this Facebook hole is a nuisance and demands your attention. Even if top hackers won’t bother to use it, less experienced hackers may not be so picky. To protect yourself from the Facebook Notes hack or other more serious DDoS attacks like DNS Floods, find an experienced security service that can suit your website’s needs.