Early this year we observed suspicious UDP connections to port 33000 in a mobile device. This traffic contained a Facebook URL that included a Facebook Graph token, and it was sent unencrypted over the network. In this blog post we show details of this traffic, what information was disclosed, and our discovery of UDP Priming. We have reported this potential data leak to Facebook, who confirmed this traffic is part of the Facebook normal behavior and that the tokens transmitted in plain text are not security related.
1. Discovery of UDP TRAFFIC to port 33000
We observed this behavior for the first time in the traffic of an iOS mobile device, specifically an Apple iPhone 6, OS Version 12.1.4. In Figure 1 it is possible to observe how this traffic looked like in Wireshark. The internal IP 10.8.0.105 was communicating with different Facebook IPs (31.13.89.19,157.240.30.18). The connections to UDP port 33000 are similar in length, and not periodic. Another thing to consider is that the host is sending traffic but never receiving a response from the server.
2. defining which questions need answering
The goal of our analysis is to understand the traffic and what is happening. The first step was to make a list of questions that we wanted to answer. In our case, were were interested in the following ones:
Who else is generating this traffic? Is this an isolated case?
Is this traffic generated by an official Facebook application, or by a third-party app? If it is, it should be documented.
What is the “primingtoken” of the Facebook Graph API doing?
What is this token used for?
We started our research trying to answer all of these questions.
3. FIRST ATTEMPT TO EXPLAIN WHAT IS HAPPENING
3.1 Is this an isolated case or are other users generating the same traffic?
To answer this questions we did two things:
First, we searched for occurrences in the traffic of some organizations we are monitoring. To our surprise, we observed multiple users generating the same type of connections. Some of these connections can be observed in Figure 2. The observed connections were all from desktop users, increasing the possible users affected by this leak.
Second, we installed Facebook on an Android mobile phone, capture its traffic for three days, and during this time we used the application normally as any normal user would. We then searched in the captured traffic for any connection on port 33000. We didn’t observe any occurrence or connection to high ports on Facebook services.
Conclusion: the observed traffic is not generated by a single user, but for multiple ones. This traffic was generated by both mobile (iOS) and desktop users (Unknown number of OS).
3.2 Is this traffic generated by an official Facebook application, or by a third-party app? If it is, it should be documented.
To answer this question we looked up the documentation associated to Facebook Graph API. The Graph API is at the core of the Facebook ecosystem. According to the facebook documentation [1]:
The Graph API is the primary way for apps to read and write to the Facebook social graph. All of our SDKs and products interact with the Graph API in some way, and our other APIs are extensions of the Graph API, so understanding how the Graph API works is crucial.
User tokens are needed in order to use the API. The documentation [2] states clearly the two main functions of the token:
They typically perform two functions:
1) they allow your app to access a User's information without requiring the User's password, and
2) they allow us to identify your app, the User who is using your app, and the type of data the User has permitted your app to access.
The Graph API documentation is quite good, however, after extensive search we didn’t find any mentions of the primingtoken or anything related to port 33000/UDP. Our tests from 3.1 didn’t help confirming if this behavior was generated by the Facebook App, or the Facebook Messenger. There are hundreds of other apps that may connect to facebook, and at this point this was unfeasible to test.
Problem: we were unable to answer this question at this point as the functionality was not documented. With this we were unable to answer the remaining questions of what does the token do and what is it used for?
Solution: let’s report this issue to Facebook, if this is an issue they will fix it, if not, they will explain what this does.
4. REPORT ISSUE TO FACEBOOK
On March 15th we reported the issue to Facebook as “Access Token Disclosure” problems via their bug bounty program. On March 19th, Facebook support contacted us mentioning that these requests/tokens were used for pre-processing and were not security related. In a nutshell, everything was working just as intended. Facebook answer in full can be read below:
Thank you for submitting this. We have looked into this internally and can confirm that this is working as intended. These requests/tokens are used for pre-processing and are not security related. There is no harm for these to be exposed. Thank you for sharing this information with us. Although this issue does not qualify as a part of our bounty program we appreciate your report. We will follow up with you on any security bugs or with any further questions we may have.
This answer gave us enough information to focus our investigation and find the answer. The key elements that helped us move forward where:
This is an official part of Facebook apps.
The tokens are used for pre-processing of requests.
The token is not used (?) for accessing user information.
5. Finding the root cause. Meet UDP priming.
Our research finally led us to a blog post from 2015 [3] on “Optimizing Facebook for iOS start time”. In this blog post they introduce UDP Priming. UDP priming is a technique used to reduce the start time of the application. Every time a user clicks on the Facebook app, the application has to load. There are two cases: if the application is launched for the first time (not running on the background) so a considerable amount of content has to be loaded, this is known as cold start. If the application was already running in the background, a lower amount of content needs to be loaded for the application to run, this is known as warm start. UDP Priming is meant to speed up the cold start on Facebook for iOS applications.
In Facebook own words [3], UDP Priming is about speeding the cold start process: “before we send out the feed request over TCP, we send an encrypted UDP packet to the server, containing the feed request. The purpose of doing this is to give a hint to the server to kick off fetching and caching of data much earlier. When the actual feed request arrives over TCP, the server can then simply construct the response from cached content and send it back. Enabling this technique allowed us to gain several hundred milliseconds more.”
In this case, they mention that the UDP packet is encrypted, but they don’t specify if the token is encrypted, or if all the packet content should be encrypted. In any case, every time the application starts it will generate a request like the one above.
Conclusion
Performing network analysis on mobile phones turned our attention to suspicious connections to Facebook servers. These connections leak Facebook UDP Priming tokens which are used to speed up the loading of Facebook applications. While there is no documentation on this behavior on the Graph API, Facebook confirmed that this is indeed part of the normal behavior of the app. We confirmed that the same optimization technique (code) is present in Android Facebook apps, but we couldn’t confirm that this behavior is actually used in Android apps.
Security impact. Sending the full URL and token in clear text has implications for the security of the users.
First, the transmission of this information discloses to anyone surveilling the user the presence of Facebook applications installed, and can help confirm the operating system behind (if they only use this in iOS devices).
Second, while not confirmed to this date, this user token may disclose personal information about the user. However more research needs to be done to confirm this.
We believe that this negatively affects the privacy of users and the URL should be encrypted. Additionally, this behavior should be documented so users can understand what type of traffic is being sent out from their mobile phones.
References
Graph API, Facebook, https://developers.facebook.com/docs/graph-api
Using the Graph API, Facebook, https://developers.facebook.com/docs/graph-api/using-graph-api/
Optimizing Facebook for iOS start time, Facebook, https://code.fb.com/ios/optimizing-facebook-for-ios-start-time/