Feeds

Facebook app shows botnet risk

You have one zombie request

Beginner's guide to SSL certificates

Updated Social networking users can easily be tricked into becoming unsuspecting drones in zombie networks, according to new research.

Security researchers from the Foundation for Research and Technology in Heraklion, Greece, created a seemingly innocuous Facebook application called Photo of the Day. The (harmless) application posed as only offering Facebook users a different photo from National Geographic every day, but it served another purpose for the makers.

Facebot

When a user loads the application they get a photo from National Geographic. But the application does much more than this, without a user's knowledge, as the Greek security researchers explain:

Every time a user clicks on the Photo of the Day application, an image from the respective service of National Geographic appears. However, we have placed special code in the application’s source code, so that every time a user views the photo, HTTP requests are generated towards a victim host.

More precisely, the application embeds four hidden frames with inline images hosted at the victim. Each time the user clicks inside the application, the inline images are fetched from the victim, causing the victim to serve a request of 600 KBytes, but the user is not aware of that fact (the images are never displayed).

The same approach might easily be applied to more malign purposes, such as making spurious traffic requests to targeted machines. Unlike the proof of concept application developed by the Greek-led team there would be no limit on the volume or persistence of data requests.

As well as providing a platform for denial of service attacks, other possible misuses of a compromised social networking profile could include host scanning, information stealing attacks against Facebook account data, or malware distribution.

The Greek researchers argue that a compromised social networking profile is nearly as useful to miscreants as a compromised PC. Better still, they add, it's easy to take advantage of a user's natural curiosity to spread potentially malicious social networking applications.

Even though little attempt was made to market the so-called Facebot application, almost 1,000 users signed up in just a few days.

Facebook downplayed the significance of the threat posed by the attack technique.

"We'd characterize this as a theoretical attack but not a practical one. In order to do be impact a website, someone would need to get orders of magnitude more users to download their app than the authors of the paper were able to attract. If someone were able to get that level of distribution - no small feat, that many companies and venture capitol firms are competing to do - why would they risk such a potentially very profitable achievement to pull a prank?," a Facebook spokesman told El Reg.

"Also, Facebook requires that users affirm that they trust the app and that they are willing to give it access to specific pieces of data. This is an attack that could be initiated much more easily through traditional means that would not require similar consent from users," he added.

The Greek team plan to present their research, which includes a discussion of potential countermeasures, at an information security conference in Taiwan later this month. One researcher from the Institute for Infocomm Research, Singapore, worked with six Greek boffins in producing a paper on the research entitled Antisocial Networks: Turning a Social Network into a Botnet (pdf). ®

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Jihadi terrorists DIDN'T encrypt their comms 'cos of Snowden leaks
Intel bods' analysis concludes 'no significant change' after whistle was blown
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
China hacked US Army transport orgs TWENTY TIMES in ONE YEAR
FBI et al knew of nine hacks - but didn't tell TRANSCOM
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.