The Register® — Biting the hand that feeds IT

Comments on: Facebook app shows botnet risk

Yawn 

By Aidan Samuel Posted Monday 8th September 2008 13:20 GMT

Thumb Down

Big deal. What about the thousands of forums that allow you to post <img .../> tags?

You're only going to get a few thousand people installing your app, and they are not all going to do it within a few seconds of each other. Your browser is liable to cache most things this 'malicious' app forces your browser to retrieve. And most websites can handle serving a few thousand pictures over the course of a week perhaps. In fact I'd go so far as to say that's what they were designed to do.

How does this tie in with 

By Peyton Posted Monday 8th September 2008 13:27 GMT

Paris Hilton

the whole 'content hosters not being responsible for user contributions' scenario? Like the Reg is not responsible for the content of this missive even though they provide the interface I use to post it... Is Facebook exempt from damages caused by their little webapp interface, since it's created by a third party? Or will this be yet another grey area of internet law that needs to be vetted?

It's not /b/ 

By Mark Posted Monday 8th September 2008 13:50 GMT

Pirate

Its your personal army.

-or-

Who needs zombie PC's when you have zombie users.

pah, at least be malicious 

By dave lawless Posted Monday 8th September 2008 14:17 GMT

Boffin

http://riosec.com/how-to-create-a-gifar

http://66.102.9.104/search?q=cache:Y2kd8XolyJkJ:www.hackaday.com/2008/08/04/the-gifar-image-vulnerability/+gifar

click fraud is more likely 

By Steve Posted Monday 8th September 2008 14:35 GMT

I'd have thought that ad click fraud would be one of the easiest and nearly undetectable uses of this technique. No longer require actual people to click and each IP is genuine so very difficult for google to detect it as fraud.

@Aidan Samuel 

By Anonymous Coward Posted Monday 8th September 2008 19:34 GMT

Happy

"Your browser is liable to cache most things this 'malicious' app forces your browser to retrieve"

and a web site can tell it not to save anything and load everything from the web site each time the user views it

<META HTTP-EQUIV="CACHE-CONTROL" CONTENT="NO-CACHE">

and

<META HTTP-EQUIV="EXPIRES" CONTENT="Mon, 22 Jul 1999 11:12:01 GMT">

should do it :P

@AIdan Samuel 

By Anonymous Coward Posted Tuesday 9th September 2008 12:31 GMT

Stop

That's only if the url is constant.

The answer from AC is valid, but sort of ignores the point - since no webserver will intentionally be configured to allow itself to be DoS'd. At least, you'd hope not...

Anyway - adding some random text after the link will do just as well. So instead of requesting:

http://www.example.com/image.jpg

you request

http://www.example.com/image.jpg?UID=0123456789

(With that number being "randomly" generated)

Then it is quite unlikely to be cached.

Webcast: Jumpstart your Application Security initiatives