Feeds

Facebook app shows botnet risk

You have one zombie request

High performance access to file storage

Updated Social networking users can easily be tricked into becoming unsuspecting drones in zombie networks, according to new research.

Security researchers from the Foundation for Research and Technology in Heraklion, Greece, created a seemingly innocuous Facebook application called Photo of the Day. The (harmless) application posed as only offering Facebook users a different photo from National Geographic every day, but it served another purpose for the makers.

Facebot

When a user loads the application they get a photo from National Geographic. But the application does much more than this, without a user's knowledge, as the Greek security researchers explain:

Every time a user clicks on the Photo of the Day application, an image from the respective service of National Geographic appears. However, we have placed special code in the application’s source code, so that every time a user views the photo, HTTP requests are generated towards a victim host.

More precisely, the application embeds four hidden frames with inline images hosted at the victim. Each time the user clicks inside the application, the inline images are fetched from the victim, causing the victim to serve a request of 600 KBytes, but the user is not aware of that fact (the images are never displayed).

The same approach might easily be applied to more malign purposes, such as making spurious traffic requests to targeted machines. Unlike the proof of concept application developed by the Greek-led team there would be no limit on the volume or persistence of data requests.

As well as providing a platform for denial of service attacks, other possible misuses of a compromised social networking profile could include host scanning, information stealing attacks against Facebook account data, or malware distribution.

The Greek researchers argue that a compromised social networking profile is nearly as useful to miscreants as a compromised PC. Better still, they add, it's easy to take advantage of a user's natural curiosity to spread potentially malicious social networking applications.

Even though little attempt was made to market the so-called Facebot application, almost 1,000 users signed up in just a few days.

Facebook downplayed the significance of the threat posed by the attack technique.

"We'd characterize this as a theoretical attack but not a practical one. In order to do be impact a website, someone would need to get orders of magnitude more users to download their app than the authors of the paper were able to attract. If someone were able to get that level of distribution - no small feat, that many companies and venture capitol firms are competing to do - why would they risk such a potentially very profitable achievement to pull a prank?," a Facebook spokesman told El Reg.

"Also, Facebook requires that users affirm that they trust the app and that they are willing to give it access to specific pieces of data. This is an attack that could be initiated much more easily through traditional means that would not require similar consent from users," he added.

The Greek team plan to present their research, which includes a discussion of potential countermeasures, at an information security conference in Taiwan later this month. One researcher from the Institute for Infocomm Research, Singapore, worked with six Greek boffins in producing a paper on the research entitled Antisocial Networks: Turning a Social Network into a Botnet (pdf). ®

High performance access to file storage

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
NSA denies it knew about and USED Heartbleed encryption flaw for TWO YEARS
Agency forgets it exists to protect communications, not just spy on them
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.