With the rise of social media, a crossed the entire globe, companies needed a way to speed up load times for large files such as photos, videos, and software downloads. The following description comes from Wikipedia on Content Delivery Networks:
A content delivery network, or content distribution network (CDN), is a geographically distributed network of proxy servers and their data centers. The goal is to provide high availability and performance by distributing the service spatially relative to end users. CDNs came into existence in the late 1990s as a means for alleviating the performance bottlenecks of the Internet, even as the Internet was starting to become a mission-critical medium for people and enterprises. Since then, CDNs have grown to serve a large portion of the Internet content today, including web objects (text, graphics and scripts), downloadable objects (media files, software, documents), applications (e-commerce, portals), live streaming media, on-demand streaming media, and social media sites.
CDNs are a layer in the internet ecosystem. Content owners such as media companies and e-commerce vendors pay CDN operators to deliver their content to their end users. In turn, a CDN pays Internet service providers (ISPs), carriers, and network operators for hosting its servers in their data centers.
CDN is an umbrella term spanning different types of content delivery services: video streaming, software downloads, web and mobile content acceleration, licensed/managed CDN, transparent caching, and services to measure CDN performance, load balancing, Multi CDN switching and analytics and cloud intelligence. CDN vendors may cross over into other industries like security, with DDoS protection and web application firewalls (WAF), and WAN optimization.
Now that you have a good understanding on what and why Content Delivery Networks exist, let’s look into the possible privacy concerns about them. We are going to strictly focus on how Facebook, Instagram, and Twitter manage their content using a CDN.
Let’s start by looking into Facebook, many people that use Facebook has their privacy settings set to “Friends Only” or “Friends of Friends”. How would you feel if those settings set on your profile doesn’t mean anything when talking about how Facebook uses their Content Delivery Network? Let’s take a closer look on what I mean when talking about privacy concerns.
domain = *.fbcdn.net example server = scontent-atl3-1.xx.fbcdn.net example image = See link below:
Try and click the URL above, this is an image that I posted on Facebook awhile back.
As you can see anyone can view this image without any authentication. This image is only visible to “Friends Only” within the Facebook privacy settings, however as you can see if you have the direct URI link anyone can view this image. The reason Facebook has decided to use this method is to ensure “the best user experience”. You can see below that Facebook does not count this as a bug or a privacy issue, they mark it as a “false positive” within their bug bounty program.
False Positives – Facebook
* Open redirects. Any redirect using our "linkshim" system is not an open redirect (learn more). * Profile pictures available publicly. Your current profile picture is always public (regardless of size or resolution). * Note that public information also includes your username, ID, name, current cover photo, gender, and anything you’ve shared publicly (learn more). * Sending messages to anyone on Facebook (learn more). * Accessing photos via raw image URLs from our CDN (Content Delivery Network). One of our engineers has posted a more detailed explanation (external link). * Case-insensitive passwords. We accept the "caps lock" version of a password or with the first character capitalized to avoid login problems. * Missing attribution on page posts. We generally show page admins which admin created a post, but this is not a security control. **1
**1 The information above is taken from the facebook.com/whitehat screenshot and placed within a code block to be more accessible for the reader.
Now many Security Researchers would say that accessing the image via the CDN URI is the same has screenshotting or saving the image to your PC or Smart device. The issue with that thought process is a fundamental change in how we Threat Model and assess true “Risk” within a business. For example, what happens if malware infects your PC or smartphone and monitors all your traffic being sent to Facebook and sends that data to Russia? I promise you that detecting a URI being sent back to a server would be harder to detect than a massive amount of images being transmitted over the wire. Another possible issue is search engines indexing public CDN links, we all know of many open S3 buckets found via search engines, what happens if Google indexes these CDN URIs? We can continue to theorize on the possibilities or use cases of this “Feature”, but unfortunately Facebook is not the only company that has no authentication set for media stored on their CDN servers.
Everyone knows that Facebook owns Instagram, so by nature their Content Delivery Network is almost identical to Facebook’s.
domain = *.cdninstagram.com example server = scontent-atl3-1.cdninstagram.com example image = See link below:
One thing to mention from the URI above, just like Facebook’s CDN URI it has some “security” checks in place for content on their CDN.
You can see within the URI that there are several parameters to verify the “access” for the content within the CDN. Let’s quickly review these parameters:
_nc_ht = specifies the server you are pulling the media from. If the "_nc_ht_" does not match the server in the FQDN you will get a "URL signature mismatch" error. This parameter does not "increase" the security/privacy of the media within the CDN. _nc_cat = is a parameter that is not needed to correctly render the media from the CDN. You can simply take out the "_nc_cat" parameter and the media will correctly render. oh = is a check to verify the "hash" of the content being requested from the CDN. If a user changes this parameter you will get the following error message "Bad URL hash" oe = The final parameter is another check in place to prevent enumeration, this parameter is a "Time Check parameter". If this parameter is incorrect you will get the following error message "Bad URL timestamp"
The parameters above do not “increase” the security or privacy of content stored within the CDN; they are in place to simple prevent a user from enumerating through content stored on the CDN.
Twitter’s Content Delivery Network is probably the most insecure at the time of writing this blog. See below on details for Twitter’s CDN.
domain = *.twimg.com example server = pbs.twimg.com example image = See link below:
As you can see Twitter only uses one parameter within the request URI, compared to Facebook and Instagram that use up to four parameters. In the example above the URI has a parameter of 15 characters include alphanumeric, this parameter is case sensitive. This would still take quite a long time to “brute force” any valid URI address, not including a possible WAF in place to limit the requests to the CDN network.
All in all, the actual “risk” of data getting exposed from a CDN is extremely low, however there still is some risk. This blog entry was written to inform people that may not have a good understanding of how the major Social media platforms “secure” your data and how they use Content Delivery Networks.