Feeds

Facebook app shows botnet risk

You have one zombie request

Security for virtualized datacentres

Updated Social networking users can easily be tricked into becoming unsuspecting drones in zombie networks, according to new research.

Security researchers from the Foundation for Research and Technology in Heraklion, Greece, created a seemingly innocuous Facebook application called Photo of the Day. The (harmless) application posed as only offering Facebook users a different photo from National Geographic every day, but it served another purpose for the makers.

Facebot

When a user loads the application they get a photo from National Geographic. But the application does much more than this, without a user's knowledge, as the Greek security researchers explain:

Every time a user clicks on the Photo of the Day application, an image from the respective service of National Geographic appears. However, we have placed special code in the application’s source code, so that every time a user views the photo, HTTP requests are generated towards a victim host.

More precisely, the application embeds four hidden frames with inline images hosted at the victim. Each time the user clicks inside the application, the inline images are fetched from the victim, causing the victim to serve a request of 600 KBytes, but the user is not aware of that fact (the images are never displayed).

The same approach might easily be applied to more malign purposes, such as making spurious traffic requests to targeted machines. Unlike the proof of concept application developed by the Greek-led team there would be no limit on the volume or persistence of data requests.

As well as providing a platform for denial of service attacks, other possible misuses of a compromised social networking profile could include host scanning, information stealing attacks against Facebook account data, or malware distribution.

The Greek researchers argue that a compromised social networking profile is nearly as useful to miscreants as a compromised PC. Better still, they add, it's easy to take advantage of a user's natural curiosity to spread potentially malicious social networking applications.

Even though little attempt was made to market the so-called Facebot application, almost 1,000 users signed up in just a few days.

Facebook downplayed the significance of the threat posed by the attack technique.

"We'd characterize this as a theoretical attack but not a practical one. In order to do be impact a website, someone would need to get orders of magnitude more users to download their app than the authors of the paper were able to attract. If someone were able to get that level of distribution - no small feat, that many companies and venture capitol firms are competing to do - why would they risk such a potentially very profitable achievement to pull a prank?," a Facebook spokesman told El Reg.

"Also, Facebook requires that users affirm that they trust the app and that they are willing to give it access to specific pieces of data. This is an attack that could be initiated much more easily through traditional means that would not require similar consent from users," he added.

The Greek team plan to present their research, which includes a discussion of potential countermeasures, at an information security conference in Taiwan later this month. One researcher from the Institute for Infocomm Research, Singapore, worked with six Greek boffins in producing a paper on the research entitled Antisocial Networks: Turning a Social Network into a Botnet (pdf). ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
Forget passwords, let's use SELFIES, says Obama's cyber tsar
Michael Daniel wants to kill passwords dead
FBI boss: We don't want a backdoor, we want the front door to phones
Claims it's what the Founding Fathers would have wanted – catching killers and pedos
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.