Metadata piggybacking: A look into Open Graph Abuse presented at BSidesManchester 2019

by Charlie Hosier,

Summary : The Open Graph protocol was initially released in April 2010. It is a protocol that allows any webpage to become an object displayed to users. It is widely used by Social Media outlets with the aim of beautifying links sent between users. Whether this is a tweet on twitter or a private message on discord it appears that the majority of web applications where the sharing of resources can happen uses this protocol. Unfortunately, through a small issue in most Open Graph parsers a malicious actor has been able to forge the object created gaining the users trust and redirecting them to an alternative webpage which is not displayed by the Object.In my talk I will outline the Open Graph technology and its benefits as well as describing how it can be abused. I will look at how social media outlets use the visibility of the URL to prevent Open Graph Spoofing but due to the caching of the Open Graph objects and the Parsers following redirects their URL visibility can be bypassed creating a more convincing object. I will explain the technical details with some examples of this technique and how it could be used maliciously to create convincing phishing campaigns.Furthermore, I will continue to demonstrate some examples where this technique is being used in the wild to disguise webpages in an attempt to get users to visit these potentially malicious websites.In conclusion it seems odd that given the current landscape where humans are the weakest link in any system, the general response to this issue across multiple different social media platforms is that they are aware of the issues but are not doing anything to fix them. I will address that this needs to be taken more seriously given the trust that these Open Graph objects create and also the implication for not only the site that is hosting the Open Graph object but also any other web application. Often the application where the Open Graph object is forged is not necessarily the target of an attack through this vector.