Feeds

Facebook app shows botnet risk

You have one zombie request

Seven Steps to Software Security

Updated Social networking users can easily be tricked into becoming unsuspecting drones in zombie networks, according to new research.

Security researchers from the Foundation for Research and Technology in Heraklion, Greece, created a seemingly innocuous Facebook application called Photo of the Day. The (harmless) application posed as only offering Facebook users a different photo from National Geographic every day, but it served another purpose for the makers.

Facebot

When a user loads the application they get a photo from National Geographic. But the application does much more than this, without a user's knowledge, as the Greek security researchers explain:

Every time a user clicks on the Photo of the Day application, an image from the respective service of National Geographic appears. However, we have placed special code in the application’s source code, so that every time a user views the photo, HTTP requests are generated towards a victim host.

More precisely, the application embeds four hidden frames with inline images hosted at the victim. Each time the user clicks inside the application, the inline images are fetched from the victim, causing the victim to serve a request of 600 KBytes, but the user is not aware of that fact (the images are never displayed).

The same approach might easily be applied to more malign purposes, such as making spurious traffic requests to targeted machines. Unlike the proof of concept application developed by the Greek-led team there would be no limit on the volume or persistence of data requests.

As well as providing a platform for denial of service attacks, other possible misuses of a compromised social networking profile could include host scanning, information stealing attacks against Facebook account data, or malware distribution.

The Greek researchers argue that a compromised social networking profile is nearly as useful to miscreants as a compromised PC. Better still, they add, it's easy to take advantage of a user's natural curiosity to spread potentially malicious social networking applications.

Even though little attempt was made to market the so-called Facebot application, almost 1,000 users signed up in just a few days.

Facebook downplayed the significance of the threat posed by the attack technique.

"We'd characterize this as a theoretical attack but not a practical one. In order to do be impact a website, someone would need to get orders of magnitude more users to download their app than the authors of the paper were able to attract. If someone were able to get that level of distribution - no small feat, that many companies and venture capitol firms are competing to do - why would they risk such a potentially very profitable achievement to pull a prank?," a Facebook spokesman told El Reg.

"Also, Facebook requires that users affirm that they trust the app and that they are willing to give it access to specific pieces of data. This is an attack that could be initiated much more easily through traditional means that would not require similar consent from users," he added.

The Greek team plan to present their research, which includes a discussion of potential countermeasures, at an information security conference in Taiwan later this month. One researcher from the Institute for Infocomm Research, Singapore, worked with six Greek boffins in producing a paper on the research entitled Antisocial Networks: Turning a Social Network into a Botnet (pdf). ®

Mobile application security vulnerability report

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Attackers raid SWISS BANKS with DNS and malware bombs
'Retefe' trojan uses clever spin on old attacks to grant total control of bank accounts
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.