Feeds

Facebook app shows botnet risk

You have one zombie request

The Essential Guide to IT Transformation

Updated Social networking users can easily be tricked into becoming unsuspecting drones in zombie networks, according to new research.

Security researchers from the Foundation for Research and Technology in Heraklion, Greece, created a seemingly innocuous Facebook application called Photo of the Day. The (harmless) application posed as only offering Facebook users a different photo from National Geographic every day, but it served another purpose for the makers.

Facebot

When a user loads the application they get a photo from National Geographic. But the application does much more than this, without a user's knowledge, as the Greek security researchers explain:

Every time a user clicks on the Photo of the Day application, an image from the respective service of National Geographic appears. However, we have placed special code in the application’s source code, so that every time a user views the photo, HTTP requests are generated towards a victim host.

More precisely, the application embeds four hidden frames with inline images hosted at the victim. Each time the user clicks inside the application, the inline images are fetched from the victim, causing the victim to serve a request of 600 KBytes, but the user is not aware of that fact (the images are never displayed).

The same approach might easily be applied to more malign purposes, such as making spurious traffic requests to targeted machines. Unlike the proof of concept application developed by the Greek-led team there would be no limit on the volume or persistence of data requests.

As well as providing a platform for denial of service attacks, other possible misuses of a compromised social networking profile could include host scanning, information stealing attacks against Facebook account data, or malware distribution.

The Greek researchers argue that a compromised social networking profile is nearly as useful to miscreants as a compromised PC. Better still, they add, it's easy to take advantage of a user's natural curiosity to spread potentially malicious social networking applications.

Even though little attempt was made to market the so-called Facebot application, almost 1,000 users signed up in just a few days.

Facebook downplayed the significance of the threat posed by the attack technique.

"We'd characterize this as a theoretical attack but not a practical one. In order to do be impact a website, someone would need to get orders of magnitude more users to download their app than the authors of the paper were able to attract. If someone were able to get that level of distribution - no small feat, that many companies and venture capitol firms are competing to do - why would they risk such a potentially very profitable achievement to pull a prank?," a Facebook spokesman told El Reg.

"Also, Facebook requires that users affirm that they trust the app and that they are willing to give it access to specific pieces of data. This is an attack that could be initiated much more easily through traditional means that would not require similar consent from users," he added.

The Greek team plan to present their research, which includes a discussion of potential countermeasures, at an information security conference in Taiwan later this month. One researcher from the Institute for Infocomm Research, Singapore, worked with six Greek boffins in producing a paper on the research entitled Antisocial Networks: Turning a Social Network into a Botnet (pdf). ®

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Tor attack nodes RIPPED MASKS off users for 6 MONTHS
Traffic confirmation attack bared users' privates - but to whom?
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Backing up Big Data
Solving backup challenges and “protect everything from everywhere,” as we move into the era of big data management and the adoption of BYOD.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.