Hackers Target MySpace and Facebook

← Back to Stories (view on slashdot.org)

Hackers Target MySpace and Facebook

Posted by Zonk on Tuesday March 4, 2008 @01:10PM from the facebooker-beware dept.

Stony Stevenson writes "The security firm Fortify Software has warned against a series of attacks against Facebook and MySpace. Buffer overflows that enabled hackers to exploit the Aurigma ActiveX image uploading software used by social networking sites were at the heart of the assault. 'Criminal hackers now view social networking sites as their best target for attacks ... [partially because] such sites are designed to be usable by "unsophisticated" consumers, meaning that the barrier to entry for attacks is potentially lower as users are more likely to click on a link that leads to malware.'"

30 of 93 comments (clear)

Min score:

Reason:

Sort:

Internet Explorer based exploit by prajjwal · 2008-03-04 13:14 · Score: 5, Insightful

I assume this is an internet explorer based exploit? http://www.kb.cert.org/vuls/id/776931
1. Re:Internet Explorer based exploit by palegray.net · 2008-03-04 13:40 · Score: 5, Informative
  
  Well, according to this page it allows execution of arbitrary code on the victim's machine. Whatever the user's account permits them to do, the code could do, up to and including actions permissible by other unpatched vulnerabilities on the client machine.
  
  --
  512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
2. Re:Internet Explorer based exploit by palegray.net · 2008-03-04 13:55 · Score: 4, Funny
  
  Origami plugin? Does it fold your keyboard into a three dimensional swan? Surely you meant the Aurigma ImageUploader plugin.
  
  --
  512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
3. Re:Internet Explorer based exploit by palegray.net · 2008-03-04 14:18 · Score: 5, Interesting
  
  The ActiveX control doesn't come with IE; it's hosted on the servers that provide the social networking service and loaded into your browser when you elect to upload an image to your profile. What I find really interesting is the date this vulnerability was first published: 02/04/2008 11:26:53 AM
  
  --
  512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
4. Re:Internet Explorer based exploit by palegray.net · 2008-03-04 15:07 · Score: 2, Insightful
  
  Maybe so, but Facebook wins at helping ambitious young "entrepreneurs" add Facebook users' computers to wonderful distributed computing networks. Unfortunately, these networks aren't exactly devoted to curing cancer...
  
  --
  512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
HEY! by Corpuscavernosa · 2008-03-04 13:16 · Score: 5, Funny

Check out this AWESOME site! They're giving away all these FREE ringtones!!! I don't even know how they do it!!!
(received as a comment on my page this morning)

--
We figured out a long time ago that it's easier to elect seven judges than to elect 132 legislators.
1. Re:HEY! by Corpuscavernosa · 2008-03-04 13:47 · Score: 5, Informative
  
  Noticing my offtopic mod, perhaps I didn't tailor my comment quite properly. There is rampant hacking of accounts for phishing and advertising purposes. One account will get hacked, then using that account, the hacker then sends out bulletins (mass emails to all friends) or comments saying to "click here" for numerous purposes including hacking future sites to send out more ads. When clicking on these sent out comments or bulletins, there will often be a phishing page where it looks like the user has logged out and needs to re-enter login and password info. Additionally, the unwitting 14 year old gives out his/her cell phone number and unknowingly signs up for a ringtone plan that is charged to their cell phone bill usually to the tune of $30/month.
  The hacks are pretty interesting as they are socially viral and not necessarily driven by sofware or the transmission of a virus.
  Maybe I need to RTFA, but this type of hacking has got to be the most prevalent type on Myspace.
  
  --
  We figured out a long time ago that it's easier to elect seven judges than to elect 132 legislators.
"Legitimate" businesses target young people too. by gnutoo · 2008-03-04 13:17 · Score: 5, Insightful

Cable, telco and banks and apparel vendors all have young people in their sites. Predatory lending credit cards, special internet "deals" with students and massive advertising budgets that should make the companies involved blush, are aimed at people ages 14 to 25.

Why? because that's where the money is.

Why do the theives use ActiveX exploits? Because they can.

Sheep, meet Mr. Slaughter. Mr. Slaughter .... gross!
A Troll's Dream by Anonymous Coward · 2008-03-04 13:18 · Score: 5, Funny

Oh man, a slashbot troll's dream -- do I start ranting about myspace and their userbase or do I start ranting about activex?
1. Re:A Troll's Dream by badboy_tw2002 · 2008-03-04 14:03 · Score: 5, Funny
  
  Tie them into a rant about hacker != cracker and you've got a troll triple word score!
2. Re:A Troll's Dream by vux984 · 2008-03-04 14:54 · Score: 2
  
  Mod parent awesome.
  
  Not only did he invoke one of the slashdot holy wars to complete his trifecta, but managed to quietly work in an IP controversy by referencing scrabble/scrabulous which itself is just the result of the buzz surrounding an app on a social networking site like facebook/myspace thereby completing a circular reference and ending up exactly where we started.
  
  At the very least he should get 50 bonus points for using all his letters! :)
  
  (And if you look closely, so did I.)
Re:Just what kids on Myspace and Facebook need... by Corpuscavernosa · 2008-03-04 13:18 · Score: 4, Funny

Unlike some sites I visit regularly, I've never been goatse-ed on Myspace... :)

--
We figured out a long time ago that it's easier to elect seven judges than to elect 132 legislators.
That... by MikeRT · 2008-03-04 13:21 · Score: 4, Insightful

And with the way that people spew out personal information on Facebook and MySpace, they probably figure that if they get it just right, there's the potential to hit the motherload of information for identity theft.
1. Re:That... by palegray.net · 2008-03-04 13:52 · Score: 5, Interesting
  Given the fact that it's a client-side issue, it's far more likely the attackers are looking to achieve two goals with this sort of exploit:
  
  Turn the client computer into a zombie, which participates in the attacker's efforts to spew out spam and scan networks for machines vulnerable to other exploits.
  
  Scan the user's local machine and any network shares for "interesting" data that might be used to compromise financial institution accounts.
  
  Capture login information on the local machine and relay it to the attacker.
  
  The contents of the user's MySpace or Facebook profile information probably ranks rather low on the list of useful information.
  --
  512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
2. Re:That... by Orion+Blastar · 2008-03-04 14:00 · Score: 4, Insightful
  
  Read the article, it was the image uploading ActiveX control that got exploited. Chances are that people who uploaded images recently and ran Internet Explorer that used the ActiveX control might have gotten their password and personal information stolen. Those Windows users who use Firefox should know that Firefox does not support ActiveX controls unless the user installed an ActiveX Plugin that allows limited ActiveX controls to be used. If the user did not install the ActiveX Plugin, I seriously doubt they got hit with this exploit if they used Firefox.
  
  Linux, Macintosh, BSD Unix, and Non-Windows systems do not support ActiveX controls anyway so it is mostly Windows systems that are effected by the exploit, and only Windows users who use Internet Explorer and not those who use Firefox.
  
  I am guessing that a lot of 12 to 24 year olds that have their own credit card or their parent's credit card or bank account or somehow work an have their own bank account are the ones targeted by this, as people aged 12 to 24 are most likely to use Windows with Internet Explorer and not know about the exploits out there, and just surf and click on anything they want.
  
  A lot of family members and friends have children aged within that range who use their family's computer and after it gets so infected with malware that they cannot use it, they call me to come over and fix it for them. Nope, Linux, BSD Unix, or switching to a Mac is not an option for them, in some cases I switched them to Linux only to have them make me switch them back to Windows because certain web sites only work with Internet Explorer, or certain games they bought won't run under WINE or they have no idea how to configure WINE to run them for them. Dual-Booting just confuses them more, as does running Windows in a virtual machine. If they bought a Mac, a few weeks later they'd tell me to remove OSX off it and put Windows on it. So basically, they stick to Windows and Internet Explorer, even if I install Firefox for them. Also I install the Google Pack with StarOffice, but of course they want MS-Office instead because their friends and co-workers don't know how to open up ODT open text format documents, and they keep forgetting to "Save As" into MS-Word 97-2002 Format so their coworkers and friends can read their documents.
  
  --
  Remember, Slashdot does not have a -1 disagree moderation, and no, troll, flamebait, and overrated are not substitutes.
3. Re:That... by palegray.net · 2008-03-04 14:07 · Score: 2, Insightful
  
  Chances are that people who uploaded images recently and ran Internet Explorer that used the ActiveX control might have gotten their password and personal information stolen. For the love of Pete, it's a remote code execution vulnerability. We're talking about a lot more than a use's MySpace password getting lifted. Why couldn't the submitter be bothered to provide a link that actually describes the issue in detail, instead of just a sensationalist news article that gives virtually no technical information?
  
  --
  512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
Hackers? by InvisblePinkUnicorn · 2008-03-04 13:30 · Score: 3, Funny

Hackers? I remember hacky sacks from when I was a kid! Are these the same thing? *clicks link to find out*
Re:Just what kids on Myspace and Facebook need... by themushroom · 2008-03-04 13:32 · Score: 5, Funny

Is a goatse different than puckering, making a faux 'thoughtful' face with hand on chin, and making a gang-style hand sign that means nothing a dozen times into the webcam with poor lighting in the photo gallery?

I can't really tell the difference.

--
Laughter is the Spackle of the Soul.
so what you are saying is.... by timmarhy · 2008-03-04 13:38 · Score: 2

... dumb people shouldn't have the internets?

--
If you mod me down, I will become more powerful than you can imagine....
1. Re:so what you are saying is.... by webmaster404 · 2008-03-04 13:45 · Score: 2, Insightful
  
  No, dumb people shouldn't use an insecure browser such as IE. Really, just using Firefox takes your threats down by a good 75% even if you are using Windows.
  
  --
  There is no "disagree" moderation, and troll, flamebait and overrated are not valid substitutes
2. Re:so what you are saying is.... by timmarhy · 2008-03-04 14:59 · Score: 2, Funny
  
  60% of all statistics are made up everyone knows that,kent
  
  --
  If you mod me down, I will become more powerful than you can imagine....
Re:"Legitimate" businesses target young people too by palegray.net · 2008-03-04 13:46 · Score: 2, Insightful

young people in their sites The word you were looking for is "sights" :). All improper usage aside, while I don't disagree with the sentiment of your post, it's important to note that the style of exploitation being discussed differs in that it's highly illegal and completely indiscriminate in nature. It's also more than likely that the sources of these attacks are individuals operating from jurisdictions outside the reach of U.S. law enforcement, which makes punishing the offenders sort of difficult.

Do your friends and family a favor: educate them on the inherent risks present in the software applications they use on a daily basis. Computer security starts with the user acting in a responsible manner to secure his/her system. If securing the system proves too difficult or time-consuming, maybe it's time to try a different system.

--
512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
Re:"Legitimate" businesses target young people too by slater86 · 2008-03-04 13:56 · Score: 2, Insightful

we're not exactly talking about the most sophisticated users on these sites. Why wouldn't they prey on the obviously easy targets.

--
When people ask if I'm an optimist, I say "I hope so". --Bill Bailey
Re:Just what kids on Myspace and Facebook need... by palegray.net · 2008-03-04 14:03 · Score: 3, Informative

Not really much threat of goatse images, but a signficant threat of arbitrary remote code execution for Windows users.

--
512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
Re:Just what kids on Myspace and Facebook need... by Brian+Gordon · 2008-03-04 14:07 · Score: 5, Funny

I've had seven different passwords and they've got them all so far.
Re:In other words.. by palegray.net · 2008-03-04 14:12 · Score: 5, Informative

In other words, social networking website users are more prone to social engineering attacks. While your comment may be a nifty play on words, if you're going to use the term "social engineering," you really ought to use it in the right context. This is a system vulnerability attack, not to be confused with social engineering attacks. Somewhere Kevin Mitnick is frowning.

--
512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
Facebook rolled out a fix quickly by steveha · 2008-03-04 14:30 · Score: 2, Informative

Facebook reacted quickly when the news broke. I'm not sure why this is a story now.

http://secwatch.org/advisories/1020254/

steveha

--
lf(1): it's like ls(1) but sorts filenames by extension, tersely
Re:Just what kids on Myspace and Facebook need... by Anonymous Coward · 2008-03-04 15:43 · Score: 2, Informative

Then obviously you need a bigger dog.
Re:This is going to sound harsh, but.. by Orion+Blastar · 2008-03-04 15:58 · Score: 2, Insightful

That is the way that a majority of people on this planet are. They don't learn from their own choices/actions and keep making the same choices/actions over and over again, and people like me have to clean up after them. That is the way my jobs have been for the past thirty years, each computer job I had to clean up after someone else's mess. I had to debug code that makes no sense much less won't compile without errors, into something that actually works and doesn't crash systems within a week or two. No flowcharts, no documentation, hardly any help from anyone, no support from management. Either do it or get fired. Management usually had no idea how programs work, and mostly hire the people they like instead of those qualified for the job. Then the other programmers take smoke breaks to light up a joint, write sloppy code as a result, and then the managers hand it over to me to fix it and make it work. But the stoners get the pay raises and promotions and work with new projects while I get stuck on the "legacy" work. When I worked as a technician, before I was a programmer, people would mess up their own computers mostly by not shutting them down before powering them off, or installing some software neither the company nor employee owns but it damages the system in some way.

I ran two computer companies, and you'd think that people always having problems by using their computers improperly would make more money than a Ghostbusters business in getting rid of ghosts would. But people tend not to pay their bills after you fix their systems, and make the same bad choices/actions as they did before and get infected again. My fault for not having a credit card machine and being nice and offering credit and no terms and pay when you have the money, etc.

Life is like that, a majority of the people in the USA make bad choices/actions. They don't save money for retirement, have unprotected sex with multiple partners and get STDs and AIDS as a result, eat fast food like there is no tomorrow and wonder why they are overweight, do more drugs than Cheech and Chong and wonder why they are so sick as a result, ignore their children and don't raise them right and wonder why they grow up to be sociopaths and do school shootings or end up in a gang, but someone has to fix all of that. The rest of the world is no different. People just don't take responsibility for their choices and actions anymore, and just blame someone else. They act as if George W. Bush ruined their career, made them sick, etc but ignore that it was their own choices/actions that made them the way they are and George W. Bush had nothing to do with 20, 30, 40, years of their own stupidity. In fact we elected a scape-goat instead of a President every four years anyway. Someone to blame for when things go wrong.

--
Remember, Slashdot does not have a -1 disagree moderation, and no, troll, flamebait, and overrated are not substitutes.
Not just client-side ActiveX issues on Facebook by StuffedFrogYK · 2008-03-04 17:32 · Score: 4, Insightful

May I mention that hacking Facebook takes no real effort? Simply manipulating a browser's client side input forms (using Firebug, maybe) allows one to post to any Superwall (Faceboo application) whether you are the person's friend or not. Anonymous attakers could put links posing as coming from people's friends on the people's Superwalls. Reasoning: If it comes from my friend, it must be good and safe. The click-rate becomes much higher, and an attacker has just used a form of social engineering to lead people to a malware site. Most applications are not built with security in mind. They just (fatally) assume that the end user would never do such a thing. Dream on, app developers!