How to Kill a Bot With 10 http Requests
There are a lot of chatbot frameworks out there. But are they secure?
One week ago I asked the community how they develop Bots and which frameworks they use for coding them. The next thing which came to my mind was security. How secure are Bots? What are common layer 7 vulnerabilities?
I made a Google Sheet with all the libraries and started my security research. First I noticed that many people use NodeJs so I made a research on common NodeJs security vulnerabilities. First thing I’ve discovered that V8 is vulnerable to classic Hash Collision attacks, but seems that Node fixed that a long time ago. There is also another attack concerning parsing JSON and one for SSL Handshakes using Openssl. All of them are fixed but if you use an old version of Nodejs all of them could be used against you.
Needless to say that this would work for all webapps out there using outdated Software. Nothing special so far.
How Do Facebook Messenger Bots Work?
If you enter something into the chat facebook makes a http request to your webapp. This http post request has your message as post data. Here’s a short example to give you a feeling what we are talking about:
after the bot received the message he maybe calls external services like wit.ai or api.ai for NLP and then it generates an answer and sends it back to facebook. Facebook now sends you the response via messenger.
The Problem
If your bot is using images or webviews you can use the chrome inspect tool and easily find the hosting URL of the server. Most of the libraries use /webhook as the URL which accepts the calls from facebook. If you found the webhook you can pretend to be facebook for most of the libraries because they use a wrong implantation of the X-Hub-Signature Header.
The Attack
The first thing I’ve tried is to just spam the webhook with spoofed messages. In one case I even found my app scoped user id and was able to send messages in large amounts from the bot to my own facebook account.
I noticed that messaging in the json payload above is an array and that you can put multiple messages into one payload. The default max post size for expressJS is 100kb that equals 600 Messages. Now this is a problem: I can send a 100kb request and issue 600 requests from your Bot to facebook and maybe another 600 to 3rd party servers. Most of the API’s use a 1 request/sec limitation. That means one request from me keeps your bot 10–20 min busy. After 100 requests your Bot is busy with making all the api calls and if you use AWS EB your bill is growing because you start one instance after another.
Keep in mind: all we do is a Post request. You could also trigger this via CSRF from another website (e.g. social media worm). So even if you limit your webhook or servlet to 1 message this is still an attack vector due the 1 sec limit of the external apis.
Featured CBM: Troubleshooting Facebook Messenger Bots
Proof Of Concept
I’ve created a metasploit module to test your bots. Use it for good not for evil.
Why Is This Possible?
I would say it is a mixture of laziness and not taking security seriously. The Facebook Messenger Api has a way to verify that facebook is talking to your bot. You can read it up here. Most of the libs simply implemented it wrong or skipped the whole security implementation. I can imagine that many people also think that security by obscurity (hiding the web server) is enough security for them.
About The Author
David Mann is a managing partner at sherpa7 and the creator of the botstack framework for rapid chatbot development.
