Posted by: Eric Hansen
When most people think of validating user input, the first thing to come to mind is making sure a string is a string, numbers are numbers and dates are proper. But does it stop there? Let’s have Facebook decide.
It seems there’s a new exploit available for their chat system, and it’s not something most people would ever cause due to the nature and extreme case of this scenario. The overall action that you need to perform is to send an extremely long message via chat to Facebook’s servers, which will then crash the end user’s session (and yours). This has further repercussions for Facebook apps that keep chat sessions alive (i.e.: tablet Facebook apps), as they will no longer be able to use the Facebook chat program on their tablet due to the fact the Messenger app would be constantly trying to load the too-long message, and crashing the app. This was posted on seclists.org by Chris Russo (http://seclists.org/fulldisclosure/2012/Nov/46).
While it does have a specific use case, and is not something the average user would ever reach such limits needed to cause this issue, it also shows that proper data validation is far from properly implemented, even with big-name corporations. If it’s as simple as sending a “malformed” request to Facebook’s chat service, how easy would it be to do the same with GTalk, IRC, etc…?