Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researchers Build Malicious Facebook App

Posted by CmdrTaco on from the and-the-crowd-goes-wild dept.

narramissic writes "Back in January, a team of researchers uploaded a malicious program to Facebook to demonstrate the possible dangers of social networking applications. Called 'Photo of the Day,' the app serves up a new National Geographic photo daily, but every time it's clicked it sends a 600 K-byte HTTP request for images to a victim's Web site. Photo of the Day is still listed on Facebook, with its authorship attributed to Andreas Makridakis, one of the researchers. The application has 514 active users now, with several comments praising it. The study was published by the Foundation for Research and Technology in Heraklion, Greece, and the Institute for Infocomm Research in Singapore."

116 comments

  1. This one's for Bugmenot! by Legion_SB · · Score: 4, Funny

    Attack!!

    --
    'a';DROP TABLE users; SELECT * FROM DATA WHERE name LIKE '%'... if you're reading this, it didn't work.
    1. Re:This one's for Bugmenot! by solitas · · Score: 1

      Yeah, good! If they call it "bugmenot" then facebook users won't be able to tell/warn OTHER facebook users about it.

      http://tech.slashdot.org/article.pl?sid=08/09/05/1741207

      --
      "It's time to take life by the cans." ~ Bender ("Bendin' in the Wind", ep. 3-13)
    2. Re:This one's for Bugmenot! by JackieBrown · · Score: 1

      Did you really feel the need to explain the joke?

      Both stories are on the front page!

    3. Re:This one's for Bugmenot! by Adambomb · · Score: 1

      Users read the stories here?

      Jebus, i've been way off in my understanding of the place.

      --
      Ice Cream has no bones.
  2. print this page by A+little+Frenchie · · Score: 2, Informative

    http://www.itworld.com/print/54718

  3. I don't think I'm the first to say this but... by Anonymous Coward · · Score: 0

    Duh.

    Facebook applications are a nightmare, in my mind.

    1. Re:I don't think I'm the first to say this but... by Captain+Splendid · · Score: 3, Funny

      Facebook applications are a nightmare, in my mind.

      Good thing, then, that in reality, they're for the most part fun and useful!

      --
      Linux, you magnificent bastard, I read the fucking manual!
    2. Re:I don't think I'm the first to say this but... by NotBornYesterday · · Score: 1

      Bah. Other than the 600kb request, how much different is this than a good slashdotting?

      --
      I prefer rogues to imbeciles because they sometimes take a rest.
    3. Re:I don't think I'm the first to say this but... by hangareighteen · · Score: 1

      Mr. Izzard?

    4. Re:I don't think I'm the first to say this but... by Anonymous Coward · · Score: 1, Funny

      Other than that, Mrs. Lincoln, how did you enjoy the play?

    5. Re:I don't think I'm the first to say this but... by mini+me · · Score: 1

      The Facebook API had so much potential, but all the junk applications have made it impossible to weed out the bad applications from the good ones ultimately giving all Facebook applications a bad rap.

  4. Researchers! by goose-incarnated · · Score: 2, Funny

    Is there anything we cannot do?

    "Here, grab your ankles, this won't hurt a little bit"

    (That is a 100% truthful statement)

    --
    I'm a minority race. Save your vitriol for white people.
    1. Re:Researchers! by mysidia · · Score: 1, Interesting

      Heh. Researchers experiment with anything malicious they want in the name of research, and publish their findings widely for the bad guys to consume.

      With the tenuous justification "the bad guys would have surely come up with this already"

      I'll accept the bad guys find these things out on their own, eventually too. But there are massive numbers of full-time researchers and few full-time bad guys.

      Plus not that many bad guys will think of X attack; at least not until there are news articles or a fad, other well-known bad apps to mimick.

      The "researchers" are helping, providing inspiration, and guidance to would-be part-time bad guys.

      If the wannabe-bad-guys thought of using a facebook application to attack a third party before, now they most certainly have been inspired by this "research" and are dilligently racing, trying to be the first to take real advantage of the weakness!

      When will we as a society stop giving positive recognition of any of these teams of "researchers" who do things that are trivial (but inspire bad guys) and paper news services with press releases?

      I expect researchers to concentrate on the harder task of how to harden things and make them more secure.

      Merely pointing out how horribly insecure things are is destructive not constructive.

      Sorry, but it was pretty obvious to people familiar with Facebook apps and computer security, that this weakness existed.

      Nothing novel or valuable has really been found here; except things that should have been reported to the site admins to be fixed.

      The researchers did valuable work, but it's clear that the worldwide security threat of releasing the information to third parties is greater.

    2. Re:Researchers! by goose-incarnated · · Score: 3, Insightful

      Your points have been duly noted.

      *pulls keyboard closer*

      However, I feel, very strongly, that when one is willing to acknowledge "The researchers did valuable work", then all those points fall away.

      As far as most research work goes (and it makes no difference whether you're in Marine Biology or Description Logics), all we do is publish what we find. Our most used sentence is "Nobody told me I had to find a solution as well". Most of research is simply discovering new problems for others to solve.

      (ps, ignore misspellings/errors in this post, Parents came to visit and brought a full bottle of single-malt whiskey, and am pleasantly drunk right now :-))

      --
      I'm a minority race. Save your vitriol for white people.
    3. Re:Researchers! by fictionpuss · · Score: 3, Insightful

      Is this sarcasm which is going over my head?

      there are massive numbers of full-time researchers and few full-time bad guys.

      Do you have any figures/research for this or is it opinion?

      The "researchers" are helping, providing inspiration, and guidance to would-be part-time bad guys.

      The bad guys who will continue to go on and sell their exploits on international markets? So, the monetary motivation is nothing compared to the motivation generated by researchers?

      Exploits exist. Bad guys have a motivation to find them and keep them secret. Without researchers in the field, the good guys would never be able to fix the exploits.

      What about coming up with a better solution before panning the current situation which seems to work quite well? Do you work in the security field at all?

      Also, Slashdot supports paragraphs.

    4. Re:Researchers! by maxume · · Score: 1

      Obviously you have never anally raped goatse guy.

      --
      Nerd rage is the funniest rage.
    5. Re:Researchers! by goose-incarnated · · Score: 1

      And you've obviously never seen some of these research grants. How do you think the goatse guy got that way i the first place?

      --
      I'm a minority race. Save your vitriol for white people.
    6. Re:Researchers! by Anonymous Coward · · Score: 0

      Practice, practice, practice!

    7. Re:Researchers! by mysidia · · Score: 3, Interesting

      I'll concede there are financial motives for crackers to attempt to compromise systems.

      But many, perhaps most crackers who would have that motive alone, are not successful. The financial motive is outweighed unless there is a means or method; unless they think they can succeed with a certain attack. If they find howtos/recipe books online or detailed publications of weaknesses that have not been addressed they are likely to find motive and find significant advantage and success in exploiting that problem and gaining the financial incentive.

      I base this on the existence of Fortune-100 companies whose reason for existence is to deliver security solutions, and have multi-billion$ security budgets to that effect.

      Companies like Symantec and F-Secure are public. Their staffing and other financial records are available for inspection; lookup their annual reports to see massive spending&staffing in research; there can be no doubts there. Script kiddies are secretive, and their exact number and records are not available for inspection.

      I'll concede there is financial motive to compromise security. Both for criminal crackers and for non-criminal researchers. But the motive should be much larger for researchers to constantly find new ways to compromise security.

      As long as the old ways continue to work perfectly fine; crackers can still satisfy their greed.

      Security researchers on the other hand, by definition cannot merely re-discover the same attacks over and over again, they'll lose their funding.

      Some crackers will be searching for new bugs, the bulk of them do not need to, they'll just wait until a new exploit is eventually published by a researcher, or they they can try to buy it. In either case, the research by a third party is what spreads the 'hack' into use.

      People still download and run programs they shouldn't. People still download and run attachments they shouldn't, despite all warnings. Crackers don't have to be creative to try to get the financial incentive. They just have to use information and tools that are all publicly available now.

      I don't think it's all that difficult to make useful but dangerous research information available to the security concerned while making it hard for all except the truly dedicated crackers.

      Tighter publication restraints should help; such as not posting full text online, for free. A $1 or $2 nominal fee for access would generally reduce digestion by the general public, and teenagers without credit card access, who may lack judgement to limit use of security info to responsible purposes.

      An additional aid may be an NDA consumers of publications have to accept to see sensitive research that describes exploits when the exploit effects many people and sites at the time of publication.

      Not to mention.. for-fee articles help cover research costs....

      Both fortunately and unfortunately, the unhampered public posting means anyone who searchers for the right keywords will see it..

    8. Re:Researchers! by goose-incarnated · · Score: 1

      Or "grants grants grants" :-)

      --
      I'm a minority race. Save your vitriol for white people.
    9. Re:Researchers! by bluefoxlucid · · Score: 1

      If they find howtos/recipe books online or detailed publications of weaknesses that have not been addressed they are likely to find motive and find significant advantage and success in exploiting that problem and gaining the financial incentive.

      WRONG.

      Your secret, unpublished exploits work extremely well because we can't catch them with an IDS. Shit we know about we can see.

      It's like if you know there's a cave that leads directly under a military base. You have to dig up from inside the cave to surface, there's no way out into the base; but it does go under the base, and it's down about 6 feet.

      Tell the base commander, and he probably won't post guard. It's more advantageous to not worry about it. Run a report about egregious failings in base security, guards are there 5 minutes after you release the report. Enemies would be there, but they'd be the ones that would attack the front gate anyway because as soon as they show up their covert attack gets discovered and we send back-up to wipe 'em out. The advantage of using that attack venue is lost.

      --
      Support my political activism on Patreon.
    10. Re:Researchers! by mysidia · · Score: 2, Interesting

      An IDS is a failsafe, last line of defense, and only ever sure to work against a small category of pre-packaged attacks.

      Pattern matching cannot detect the exploit of all types of weaknesses.

      Not all types of weaknesses have a set string or sequence of bits you can reliably search for and ID an attack.

      Generally IDS rules are specific to the most common attack, not the weakness.

      The cracker that wants to evade your IDS and knows how to evade an IDS is likely to be successful.

      E.g. if there is a buffer overflow, it is common for an IDS to look for common shellcode patterns. IDS is unlikely to be able to perform a stateful examination of all the application protocols including fragment assembly and actually detect the overflow condition.

      There is this problem that the overflow has occured already, and chances are the application is already running the malicious code, just as your IDS is detecting it and starting to alert you.

    11. Re:Researchers! by fictionpuss · · Score: 3, Interesting

      Word is that there are several dozen zero-day Linux kernel exploits on the blackhat market right now. For what it's worth that's anecdotal, but even if that figure is exaggerated, the blackhats are still out powering the whitehats in either number or technical ability.

      If they didn't then they wouldn't exist.

      I'm not going to be able to respond to you point-by-point because of a rather general lack of coherence, so I'm going to pick and choose:

      Companies like Symantec and F-Secure are public. Their staffing and other financial records are available for inspection; lookup their annual reports to see massive spending&staffing in research; there can be no doubts there.

      My impression was that the R&D was spent on things like Vista compatibility and defending their own protection programs from being disabled as part of the exploit.

      I've never heard of one case of an anti-virus company proactively researching a vulnerability and patching it. There wouldn't seem to be much of a business model to create from that. But if I'm wrong then there should be plenty of evidence - why would they spend the R&D that you mention, and not publicise its positive effects?

      Some crackers will be searching for new bugs, the bulk of them do not need to, they'll just wait until a new exploit is eventually published by a researcher, or they they can try to buy it. In either case, the research by a third party is what spreads the 'hack' into use.

      At least in the Linux world, vulnerabilities, once published, tend to have fixes out pretty darn quickly. This is not a winning strategy for a blackhat.

      Also - a researcher who sells to blackhats, is a blackhat by definition.

      I don't think it's all that difficult to make useful but dangerous research information available to the security concerned while making it hard for all except the truly dedicated crackers.

      You seem to be describing exactly what happened with the recent DNS server vulnerability?

      A $1 or $2 nominal fee for access would generally reduce digestion by the general public, and teenagers without credit card access

      Blackhats are not terribly concerned about copyright infringement. If they didn't hack the server silently to get past the $1 or $2 fee, then they'd use someone elses credit card info.

      Once one copy is made, then the information is available on the blackhat market anyway, except the whitehats have a harder time getting to it.

      Both fortunately and unfortunately, the unhampered public posting means anyone who searchers for the right keywords will see it..

      Blackhats aren't idly spending their days typing "latest exploit info" into Google. They have their own information market spaces, and they are skilled and efficient at what they do.

      Everything you describe which makes it harder for whitehats is to the benefit of blackhats.

    12. Re:Researchers! by Anonymous Coward · · Score: 0

      What good would a Kernel exploit do? Most kernel exploits you need to have shell access to make use of. Just because there are fixes out quick doesn't mean people use them. If you have ever been privy to the computer underground I think you would understand that there are far less people out there with skills to write exploits than you think.

    13. Re:Researchers! by fictionpuss · · Score: 1

      I'm not concerned about other people not updating against exploits - I'm concerned about my updated machine falling victim to a malformed ping packet which no whitehat knows about yet.

      If the opinions held by 'mysidia' ever gained more traction, the chances of that exploit being discovered by whitehats would decrease proportionally.

      An AC blithely inferring personal experience of "the computer underground", doesn't carry as much weight as you seem to wish it does.

    14. Re:Researchers! by mysidia · · Score: 1

      Once one copy is made, then the information is available on the blackhat market anyway, except the whitehats have a harder time getting to it.

      Responsible researchers should always provide their exploit information and security vulnerability information to the effected vendor directly, either at the time of publication or preferably prior to it.

      In other words: availability of patches should be unaffected.

      The Linux kernel group should provide a contact for security issues that will be dealt with in whatever manner the kernel hackers prefer to deal with such security issues.

      If they wish to encourage release of the full details to the public, to spread awareness, after they make a patch available, it's their prerogative to do so as maintainer of the software.

      My impression was that the R&D was spent on things like Vista compatibility and defending their own protection programs from being disabled as part of the exploit.

      And back in 2005, before Vista came out? Creating defenses to avoid protection programs from being disabled is security research.

      AV Makers also research malware in the wild in order to analyze its attack methods.

      There are also large companies that develop Firewalls and IDS systems, that conduct research to attempt to detect and stop exploitations using both known and unknown vulnerabilities.

      A weakness that allows someone else's custom-made website to be abused as a DoS tool is very different from a vulnerability in open source software that can run arbitrary code.

      A vulnerability in closed source software is very different from a vulnerability in the open source software.

      The bug in the open source software is likely to be discovered by many developers who read the source code.

      The bug in the closed source software is likely to be discovered only by chance. Just because a researcher finds a certain vulnerability in closed source software they are able to exploit does not mean they put any dent whatsoever in the remaining vulnerabilities to be found.

      In fact, the release of information will give the blackhats hints about where to possibly search for similar vulnerabilities around the same part of the code in the future.

      (Patches by proprietary software vendors periodically do not fully address the issue, even if they break the proof-of-concept attack, and may be followed up in later months by further fixes)

    15. Re:Researchers! by fictionpuss · · Score: 1

      This reads like an LSD-spiked stream of consciousness. What is your actual point?

      For example - you're now arguing that Symantec fixing the security flaws it created in its own products is an example of your original proposition that there are more whitehats than blackhats? If you're part of the problem while marketing yourself as part of the solution, then your hat is pretty grey to my eyes.

      I also have a problem with your "Experts in the field should do X because of (vague generalisation)" argument style.

    16. Re:Researchers! by orangesquid · · Score: 1

      "Most of research is simply discovering new problems for others to solve." -- A very important point. In fact, research that uncovers a problem but not a solution is an exciting opportunity for all related researchers in the field, because there is now one more problem to study.

      "Nobody told me I had to find a solution as well." Hmm. If you look at research into pure math, it would be an unfortunate situation indeed if you could not publish until you had worked out a complete solution. Consider the age-old problem of the distribution of the primes...

      unrelated notes:
      "Parents came to visit and brought a full bottle of single-malt whiskey" -- umm, so, when are your parents going to visit my apartment? give me an e-mail address and I'll send a list of what I like ;)
      "Classical gas simplified for beginners [youtube.com]" -- What kind of 'classical gas' are we talking about? You know, even 'ideal gas' has pitfalls as an ambiguous phrase...

      --
      --TheOrangeSquid Is it any wonder things seem so awry? We swim in a sea of confusion and don't have to think to survive
    17. Re:Researchers! by bluefoxlucid · · Score: 1

      E.g. if there is a buffer overflow, it is common for an IDS to look for common shellcode patterns. IDS is unlikely to be able to perform a stateful examination of all the application protocols including fragment assembly and actually detect the overflow condition.

      Snort does fragment assembly and stateful examination. OSSIM uses numerous systems for pattern, signature, and behavioral analysis to determine if a system is currently under attack or compromised. This means it will detect an odd network condition it's not familiar with (no attack signatures or patterns) targeting a specific host and say, "Hey this shit might be under attack!" It will see a host launch a known attack or suddenly start making connections all over the place (i.e. a file server making connections to something other than a back-up server it usually does) and decide it's probably compromised, even if it never noticed it was under attack.

      --
      Support my political activism on Patreon.
  5. social networking considered harmful by suck_burners_rice · · Score: 5, Funny

    First of all, let's get something straight. Social networking is a BAD idea. Especially the sort of social networking that takes place at bars, clubs, parties, etc. The only safe place in the world is safe and sound all by your lonesome in your parents' basement.

    --
    McCain/Palin '08. Now THAT's hope and change!
    1. Re:social networking considered harmful by Bieeanda · · Score: 2, Funny
      Oh good, I'm already there.

      Can I order hot pockets over the Internet?

    2. Re:social networking considered harmful by goose-incarnated · · Score: 5, Funny

      The only safe place in the world is safe and sound all by your lonesome in your parents' basement.

      Here in SA I've got 14cm hunter spiders in my parents basement! Seriously. These things have garden snakes for breakfast, so don't fucking tell me how safe my parents basement is - I only go in there with a team of sherpas and a pack of wolves.

      On the plus side, we've very few snakes left.

      --
      I'm a minority race. Save your vitriol for white people.
    3. Re:social networking considered harmful by Anonymous Coward · · Score: 3, Funny

      Not my parents' basement... It is pitch black. You are likely to be eaten by a grue.

    4. Re:social networking considered harmful by Anonymous Coward · · Score: 0

      First of all, let's get something straight. Social networking is a BAD idea. Especially the sort of social networking that takes place at bars, clubs, parties, etc. The only safe place in the world is safe and sound all by your lonesome in your parents' basement.

      Insightful? I must be reading Slashdot!

    5. Re:social networking considered harmful by Brynath · · Score: 2, Interesting

      no but you can order a "Bucket o'food" for $75 that will give you 275 "meals"

    6. Re:social networking considered harmful by Anonymous Coward · · Score: 1, Funny

      The only safe place in the world is safe and sound all by your lonesome in your parents' basement.

      Radon. Carbon Monoxide. Mr. Muggles.

      Nope, you're fucked.

    7. Re:social networking considered harmful by somersault · · Score: 4, Funny

      It's not a basement, it's a command centre

      --
      which is totally what she said
    8. Re:social networking considered harmful by sphealey · · Score: 1

      > On the plus side, we've very few snakes left.

      Unfortunately, we depend on the snakes to keep the rats under control.

      sPh

    9. Re:social networking considered harmful by Surt · · Score: 5, Funny

      There's a guy a few posts up with some hunter spiders that will take care of that grue for you.

      --
      "Who is the Journal of Quantum Physics going to believe?" --Stephen Hawking
    10. Re:social networking considered harmful by goose-incarnated · · Score: 1

      The spiders do that as well. Bloody hell, they would get mistaken for tarantulas, only tarantulas are not that aggressive or large.

      Welcome to South Africa, have a nice day, oh, and by the way, stay away from anything furry with eight legs and a social problem.

      --
      I'm a minority race. Save your vitriol for white people.
    11. Re:social networking considered harmful by R2.0 · · Score: 0

      "It's not a basement, it's a command centre"

      I believe the word you are looking for is "bunker". Or, in England, "bunkre".

      --
      "As God is my witness, I thought turkeys could fly." A. Carlson
    12. Re:social networking considered harmful by somersault · · Score: 1

      Actually it's bunker in the UK as well o_0 I was actually quoting from Die Hard 4.0, or in the US, "Live Free or Die Hard"

      --
      which is totally what she said
    13. Re:social networking considered harmful by Anonymous Coward · · Score: 0

      Woosh.

    14. Re:social networking considered harmful by ksd1337 · · Score: 1

      I've got some sharks with lasers on their forehead to take care of those hunter spiders.

    15. Re:social networking considered harmful by cyberstealth1024 · · Score: 1

      I've seen those spiders. The sharks with lasers have got nothing on those spiders. Hope you have a nice insurance policy for the sharks!

    16. Re:social networking considered harmful by techno-vampire · · Score: 1
      The only safe place in the world is safe and sound all by your lonesome in your parents' basement.

      My parent's house doesn't have a basement you insensitive clod! I'm stuck in the den!

      --
      Good, inexpensive web hosting
    17. Re:social networking considered harmful by Anonymous Coward · · Score: 0

      I'm sure the sharks with lasers will do, unless those are laser spiders, then the sharks have no hope.

    18. Re:social networking considered harmful by elgatozorbas · · Score: 1

      Why the f*ck is this rated insightful? "Funny" doesn't render karma, but "underrated" also exists. Smothering your personal info all over the place might be a bad idea, but doing so in a bar is infinitely less dangerous than doing it on the www where every future employer/mother in law can find you back years later.

    19. Re:social networking considered harmful by Surt · · Score: 1

      I believe the british version is 'bukkake' not 'bunkre'.

      --
      "Who is the Journal of Quantum Physics going to believe?" --Stephen Hawking
    20. Re:social networking considered harmful by suck_burners_rice · · Score: 1

      Smothering your personal info all over the place might be a bad idea, but doing so in a bar is infinitely less dangerous than doing it on the www where every future employer/mother in law can find you back years later.

      Which is why I'm gonna write a book, for which I haven't made up the title yet, about an underground gang of 1337z h4x0rz who, for a high fee, of course, hack into all kinds of social networking sites and whatnot and fix peoples' information. So that girl who had some revealing pictures taken can have them mysteriously disappear. That dude who wrote a bunch of anti-country stuff and later grew up and decided to run for office can have that text changed to something a bit more appropriate, etc.

      --
      McCain/Palin '08. Now THAT's hope and change!
    21. Re:social networking considered harmful by MiniMike · · Score: 1

      Right. Prepare to have spiders with lasers on their forehead (and nice sharkskin boots on all eight feet).

    22. Re:social networking considered harmful by registrar · · Score: 1

      I don't think there's any doubt that facebook is a malicious app. Maybe the world is too...

    23. Re:social networking considered harmful by kramulous · · Score: 1

      Sick! Tell me there are black choppers to get them into secure data centres ... located in exotic countries on mountain tops?

      --
      .
    24. Re:social networking considered harmful by kramulous · · Score: 1

      But ... but .. we've got some dangerous critters as well! Our jellyfish are considered badarse! They don't even need lasers. They're more touchy-feely. Much worse in a basement. One full of sea water that is.

      --
      .
    25. Re:social networking considered harmful by Jeff+DeMaagd · · Score: 1

      If it uses the British spelling, it must be good!

    26. Re:social networking considered harmful by TheLink · · Score: 1

      So let me get this right, Natalie Portman would be petrified in your parents' basement?

      --
    27. Re:social networking considered harmful by Hal_Porter · · Score: 1

      I love this comment

      Why not just cut the bullshit, mix it all together and label it "Bachelor Chow"?

      --
      echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
    28. Re:social networking considered harmful by crossmr · · Score: 1

      Just log in to Everquest and type /hotpockets

    29. Re:social networking considered harmful by somersault · · Score: 1

      You're damn right "whoosh". Either it's a random quote for something I don't know, or it's just an unfunny (to me) reference to spelling differences. It's you guys that fuck with the spellings, not us ;)

      --
      which is totally what she said
    30. Re:social networking considered harmful by MPAB · · Score: 1

      On the plus side, we've very few snakes left.

      We could let your spiders loose on planes!

    31. Re:social networking considered harmful by MPAB · · Score: 1

      And a beowulf cluster of those!

    32. Re:social networking considered harmful by Cruciform · · Score: 1

      Absolutely.
      I just need your credit card info and that handy little PIN on the back.
      30 minute delivery guaranteed!

      Would you like to order anything else from our Nigerian menu?

    33. Re:social networking considered harmful by BotnetZombie · · Score: 1

      Umm, I'd rather not go there. My parents' basement is sometimes called the Sun's Secret Layer. You don't want to DDOS that!

    34. Re:social networking considered harmful by somersault · · Score: 1

      Being British, I have to concur :)

      --
      which is totally what she said
    35. Re:social networking considered harmful by elgatozorbas · · Score: 1

      Nice idea. What's more likely: being a super high-profile dude that agents are sent upon, or not getting a job because your potential employer found pictures of you binge drinking?

  6. BFD(?) by CWRUisTakingMyMoney · · Score: 5, Insightful

    So, some researchers used Facebook as a singularly inefficient method of DDoSing someone. Anyone who wants a site taken down will use a botnet or something more reliable (and high-volume) than counting on Facebook users to add the latest greatest app of the day. Am I missing something, or is this really not nearly serious enough even to make /.?

    --
    Those who anthropomorphize science and/or nature already believe in an intelligent designer.
    1. Re:BFD(?) by ohxten · · Score: 2, Insightful

      That's why it's here. We don't know. It's up to us geeks to philosophize.

      --
      Need an automatic screenshot taker? Try here.
    2. Re:BFD(?) by BitHive · · Score: 4, Insightful

      No, this is absolutely retarded. This is like saying I've uploaded malicious content to slashdot by telling everyone to click here for free porn where "here" is my victim's website.

    3. Re:BFD(?) by aftk2 · · Score: 4, Funny

      I clicked it. Who else did? Don't be shy!

      --
      concrete5: a cms made for marketing, but strong enough for geeks.
    4. Re:BFD(?) by caffeinemessiah · · Score: 2, Interesting

      So, some researchers used Facebook as a singularly inefficient method of DDoSing someone.

      Agreed. Especially since a user trying to interact with ANYTHING dynamic on a profile page has to CLICK it to enable it. Embed your own "malicious" DDOS flash code into an "application" with some cutesy front end, and have it pull a large NASA image and push it as a form upload to the target site. Basically, once the user clicks your flash/activeX/blaahXY content, you have an array of flash/activeX/blaahXY exploits to exploit.

      Unless of course they figured out a way of activating the dynamic content without the user clicking (this was a hack submitted a while ago as a XSS exploit, local news went nuts about it). Now THAT would be a nice hack, as it would allow the design of apps to counter-stalk (i.e. see who's been viewing your profile).

      --
      An old-timer with old-timey ideas.
    5. Re:BFD(?) by malinha · · Score: 1

      ya, just post the link on slashdot and the users will do the rest, no botnet needed.

    6. Re:BFD(?) by hdon · · Score: 2, Insightful

      I agree 99% with CWRUisTakingMyMoney.

      I have not read the article, but I'd like to point out the possibility that because social networking is a big buzz-word, the experiment is being misrepresented.

      While I don't believe an experiment really proves anything to anyone with a mind of their own, I think we're all way past due to begin thinking about better sandboxing (more precise, efficient, and platform-agnostic) methods for running all the untrustworthy code we do. We ought to have control over how resources of all kinds are allowed to anything we run. It should be trivial to tell your browser what the default outgoing transmission rate for a Facebook app ought to be (but this should not be implemented in the browser -- it should be available for non-web-based software as well) as well as any other resource you can think of.

    7. Re:BFD(?) by Anonymous Coward · · Score: 0

      Okay so how do you get to the porn? I couldn't find it...

    8. Re:BFD(?) by frank_adrian314159 · · Score: 1

      Effin' ripoff! There weren't no porn thar!

      --
      That is all.
    9. Re:BFD(?) by Clandestine_Blaze · · Score: 5, Funny

      You should have linked to Idle, now that's malicious.

      --
      Best "String" Ever!
    10. Re:BFD(?) by shawn(at)fsu · · Score: 1

      You could explain away the praises too.
      I'm sure there are plenty of people who know its a hack and gave it praise just to get others to add the app to their page.

      This is a nothing to see here story.

      --
      500 dollar reward for tip(s) leading to the arrest of the person(s) who stole my sig.
    11. Re:BFD(?) by PsychoElf · · Score: 1

      Just depends how you look at it! Be creative!

    12. Re:BFD(?) by Anonymous Coward · · Score: 0

      Not me.

      I'm pretty sure the kind of porn hosted on slashdot is the kind I'd wish I could unsee later.

    13. Re:BFD(?) by Firehed · · Score: 1

      There are plenty of apps that actually see some heavy use. As in 50k+ installations, not 500+. Just hotlinking an image could do some pretty heavy damage to most sites, never mind a massive POST request.

      --
      How are sites slashdotted when nobody reads TFAs?
    14. Re:BFD(?) by NotQuiteReal · · Score: 1
      Yeah, first off, the link showed me an ad for the new "Choke" movie. That made me think of choking chickens.

      Then, as luck would have it, I get an ad for more flexible screwing when I hit the reply button. Well, what more do you need to get you going?

      [x] post anonymously

      --
      This issue is a bit more complicated than you think.
    15. Re:BFD(?) by DMUTPeregrine · · Score: 1

      http://www.foobies.com/ has plenty of free porn. Thank Drew Curtis.
      Oh, wait, supposed to ddos a victim. Nevermind then.

      --
      Not a sentence!
    16. Re:BFD(?) by slimjim8094 · · Score: 1

      ERROR
      The requested URL could not be retrieved

      While trying to retrieve the URL: http://it.slashdot.org/%23

      The following error was encountered:

              * Read Error

      The system returned:

              (104) Connection reset by peer

      An error condition occurred while reading data from the network. Please retry your request.

      Damn you!

      --
      I have developed a truly marvelous proof of this comment, which this signature is too narrow to contain.
    17. Re:BFD(?) by coren2000 · · Score: 1

      I didn't. I dont need the help.

    18. Re:BFD(?) by Hal_Porter · · Score: 1

      That's why it's here. We don't know. It's up to us geeks to philosophize.

      We're like dust in the wind, dude.

      Dust.
      Wind.
      Dude.

      --
      echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
    19. Re:BFD(?) by Anonymous Coward · · Score: 0

      So, some researchers used Facebook as a singularly inefficient method of DDoSing someone.

      The first thought that popped into my mind when I read the summary was, "Rube Goldberg hotlinking."

  7. social apps and gadgets by gbh1935 · · Score: 2, Insightful

    There are inherent security risks any time you allow code to be executed on a mammoth scale without some serious security inspection and review.

  8. Yeah, what a fantastic "application." by Anonymous Coward · · Score: 0

    In your FACE, Google!

  9. MOD PARENT UP by Captain+Splendid · · Score: 1

    Parent is correct. This is a PEBKAC problem if I ever saw one. Man, people really will freak out over every little thing, won't they?

    --
    Linux, you magnificent bastard, I read the fucking manual!
  10. Nothing new... by Tmack · · Score: 2, Informative
    I see .swf attack scripts all the time that do the same thing: user clicks to view a .swf, the swf sends a request per second to some other page. Get enough people to click on your "new Flash game" or "sexxy webcam" and you get a DOS (albeit usually weak).

    tm

    --
    Support TBI Research: http://www.raisinhope.org
  11. more direct malicious app by Narnie · · Score: 5, Funny

    Why not build a more aggressive app and call it something like "Facebook Botnet Webapp Client 2.04.2" and then reward people minion points for delivered spam, DDoS attack packets, and friend referrals. No need to hide it as a beneficial application, people want to belong to something--why else are they on facebook?

    --
    greed@All_Evils:~#
    1. Re:more direct malicious app by Anonymous Coward · · Score: 0

      Why not build a more aggressive app and call it something like "Facebook Botnet Webapp Client 2.04.2" and then reward people minion points for delivered spam, DDoS attack packets, and friend referrals. No need to hide it as a beneficial application, people want to belong to something--why else are they on facebook?

        -why else do they post on forums?

    2. Re:more direct malicious app by Anonymous Coward · · Score: 0

      "homo homini lupus"

      you are joking but I think we would be somewhat surprised of the amount of people who would participate in such a ring. I mean willingly participate.

    3. Re:more direct malicious app by Narnie · · Score: 1

      It started out as a joke, but by the time I finished writing the post, it sounded pretty awesome and awesome should be written in LOLCODE.

      --
      greed@All_Evils:~#
  12. Oh that's nothing by joe_n_bloe · · Score: 4, Funny

    I used to serve a 2mb file of zeros at favicon.ico. I even used a bogus MIME type to give MSIE a fighting chance. Of course MSIE ignored the MIME type and charged ahead anyway.

    1. Re:Oh that's nothing by Creepy+Crawler · · Score: 1

      You gave me a great idea.

      Buffer overflow of favicon.ico

      muhahahaha

      --
    2. Re:Oh that's nothing by Firehed · · Score: 1

      So... you just waste your own bandwidth? Nice.

      --
      How are sites slashdotted when nobody reads TFAs?
    3. Re:Oh that's nothing by Culture20 · · Score: 1

      probably compressed down to a kilobyte or two.

    4. Re:Oh that's nothing by Repton · · Score: 1

      I used to have an app-killer image. It was basically an empty JPEG with a header that claimed the image was 1,000,000 x 1,000,000 pixels big.

      Crashed practically any app you tried to open it with.

      --
      Repton.
      They say that only an experienced wizard can do the tengu shuffle.
  13. Isn't there in the EULA/TOS something by davidsyes · · Score: 1

    Isn't there in the EULA/TOS something that makes this verbotten? Unless he's/they've signed an NDA giving fb the time/opportunity to expunge the app, clean up the mess, and warn users, he's just helping the bad guys know fb is inattentive. Not as if the end users all have tools to ferret out the malicious apps.

    If he's brought to court, then maybe the terms of settlement could be he acts as fb's and others' human sacrificial firewall.

    fb could even retaliate by making a profile of the listed developer, making a negative bio/pic of him, and cause him grief. Not that i'd suggest it, but you never know...

    --
    Previously: "Linux... Toward the Sunrise..." Now: "Linux... Toward the-- No, now, part of Every Sunrise"
  14. Have to by __aamisb9940 · · Score: 1

    ...all your Facebook are belong to us.

  15. Who's surprised? by Whatanut · · Score: 1

    So who was surprised by this? I had the same ideas awhile back when I first joined and noticed my ability to create my own apps. I considered creating one purely for the purpose of collecting user information. Just for the hell of it. But more of a way of seeing just how much data I could gather. I have yet to see an app on facebook that didn't require that you provide access to EVERYTHING. If you check (or uncheck.. don't remember how that works) any of the privacy options you get the message "But we neeeeeeed that!!!"

    And it's for that reason I generally don't use any apps on there...

    --

    yvan eht nioj
  16. It's the delivery method, not the payload by Kelson · · Score: 2, Insightful

    Using the app to DDOS someone is simply the payload. The point is that:

    (a) A trojan was introduced into the ecosystem.
    (b) Users installed it.

    It's not clear whether the users simply saw it in the directory and installed it, or whether they looked at their friends' apps and said, "Hey, that looks interesting." (Or whether users were promoting it to their friends, like a chain letter.)

    The lesson is that social network apps need to be treated with the same caution as apps that you would install on your computer.

  17. Doesn't work. by Puffy+Director+Pants · · Score: 3, Funny

    Facebook is still operational.

  18. Mod the main article down. It is redundant. by CFD339 · · Score: 4, Funny

    They built a malicious face book application. Big deal. They're all malicious and annoying. The whole damn site is a marketing work to pull personal data about interconnected relationships together for marketing.

    "Malicious Facebook App" is like "Table Mesa" (a place in Arizona). Its redundant Mesa means Table in Spanish.

    --
    The problem with quotes on the internet, is that nobody bothers to check their veracity. -- Abraham Lincoln
  19. Explanation? by adamziegler · · Score: 1

    I guess I don't get it... You click on a link for a picture, and it sends a request for a picture? Is this like me posting a link to picture here on /. that resides on a "victims" server?

  20. Malicious? Faugh. by ScrewMaster · · Score: 1

    Personally, I consider Facebook to be a malicious app.

    --
    The higher the technology, the sharper that two-edged sword.
  21. Channelling the masses for fun and profit by PaleCommander · · Score: 1

    This seems, when all is said and done, to simply be taking advantage of the power of large numbers of people on the Internet. Facebook is merely a userbase that happens to have a toolset attached. Admittedly, the userbase is somewhat more suggestible than many others (see the various superhero/pirate/ninja viral games that can be seen cavorting across people's profiles); however, this type of coordination has been done before, albeit usually with participants' knowledge.

    Hopefully, we can see this amount of effort on the part of researchers directed toward positive applications. Existing examples include the Search for Extraterrestrial Intelligence (SETI), protein folding, and the Mechanical Turk project.

    This isn't so much a security issue as an underexploited resource. That said, the API hardly needs to leave its doors open to this sort of thing.

  22. Re:Mods on crack by Hal_Porter · · Score: 1

    Oh FCOL, who the fuck moderated this as troll - c'mon - play nicely here - over the last few days it seems that a metric fuckton of non-troll and/or non-flamebait posts have been modded most unfairly. Who the hell is getting modpoints these days?

    Mod Parent down

    -1 Censored.

    --
    echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
  23. bahhaha by Anonymous Coward · · Score: 0

    their 'army' is about 500 requests a minute.

    LAME!!!!!

  24. Whose "tenuous justification"? by gr8scot · · Score: 1

    Heh. Researchers experiment with anything malicious they want in the name of research and publish their findings widely for the bad guys to consume.

    Looks like you're a black hat, and you're annoyed that more young people are truly computer literate, and more useful information is available to non-expert but careful users.

    With the tenuous justification "the bad guys would have surely come up with this already"

    The purpose of research is knowledge. As a researcher, I'm not responsible to provide justification of what somebody else does with knowledge I discover, nor to provide further justification of my discovery of it due to that other person's choice to make criminal use of the knowledge I discovered. The criminal is solely responsible for the criminal act.

    Plus not that many bad guys will think of X attack; at least not until there are news articles or a fad, other well-known bad apps to mimick.

    Oh, yeah right!! No scumbag would ever have come up with such a diabolical plan of attack, as dump a malicious app on a site for casual computers to trade pictures, shortly after said site introduces app sharing to its crappy services. You are ridiculous.

    The "researchers" are helping, providing inspiration, and guidance to would-be part-time bad guys.

    Stuff that back where you pulled it from.

    Sorry, but it was pretty obvious to people familiar with Facebook apps and computer security, that this weakness existed.

    And to crackers. It was not obvious to the users, but now it is.

    Nothing novel or valuable has really been found here

    Both those qualities are in the eye of the beholder.

    ... except things that should have been reported to the site admins to be fixed.

    Why? Will they share their profits, for such a service? For providing a fig leaf to help them cover their lack of vigilance, or how plainly stupid their idea was: "encourage casual users to share programs without any screening process"? Either the admins are competent and responsible enough to find and secure their site themselves, or else they're incompetent enough and irresponsible enough to deserve a public humiliation of the sort they are now receiving. They got what they deserved for trying to get rich on a networking-to-attract-advertising-revenue Ponzi scheme. You misidentify the social problem at the root of the symptom that is the general topic of this thread. That symptom is the insecurity of the biggest names in computing: Microsoft, US government, now Facebook. The root cause is the rewarding of sub-standard work. It has caused one dot-com bust already. I, for one, am in no mood for another. If projects of this scale were as a rule successfully deployed on the first public release, with all advertised features, and secure, I'd say programmers are by and large worthy of their 6-figure salaries. As it is, I say the average IT guy's salary is 85% hyperbole. Just because programmers are rare, the law of supply and demand dictates that even crappy ones have to be paid hand over fist. Such would change, if only secure apps and services were demanded by the consumer market. The more effectively crappy, insecure apps and services can be identified, the more efficiently the invisible hand can operate.

    The researchers did valuable work, but it's clear that the worldwide security threat of releasing the information to third parties is greater.

    The opposite is clear. One valuable service these researchers provided -- the most valuable, I think -- is they showed a lot of Facebook users that their host is not capable of securely providing at least the app sharing services it offers: they showed its victims that Facebook is not trustworthy. Many of the users do not have the technical backgro

    --
    All 19 hijackers were known terrorists 09-10-2001. Lack of FBI intelligence does not justify warrantless wiretaps..
    1. Re:Whose "tenuous justification"? by mysidia · · Score: 1

      The purpose of research is knowledge. As a researcher, I'm not responsible to provide justification of what somebody else does with knowledge I discover, nor to provide further justification of my discovery of it due to that other person's choice to make criminal use of the knowledge I discovered. The criminal is solely responsible for the criminal act.

      That position is irresponsible in that it entails the researcher simply ignoring the very effects positive and negative that society will have to endure based on their publication. Governments and society as a whole have already seemingly taken a position counter to that, [2], and the result will probably be eventual formal government regulation to better keep dangerous information quiet.

      For example, there is classified information. If a researcher attempts to publish usable do-it-yourself details for making a nuclear bomb, they may well find themselves locked up.

      Locks may be vulnerable to picking, but in most states, it is illegal to buy, sell, or possess lockpicking tools, without special permit.

      Just because the laws haven't caught up yet to prevent computer security researchers from irresponsibly publishing dangerous information for all to get the most intricate details including ready-to-run attacks, does not mean that it is responsible or good for researchers to do so.

  25. THAT is a "tenuous justification"! by gr8scot · · Score: 1
    Consider Abu Ghraib and Guantanamo. The War on Terror (TM) is not a source from which to draw generalizations about society's positions in general, except its attitude toward what it doesn't understand, which is: fear. So your first source, about a student who was arrested, not for sharing research, but for conducting research (whose subject was "Al Qaida") is interesting, but relative to this dispute it is dismissed an aberration, where an example or summary of how society normally functions is required.

    That position is irresponsible in that it entails the researcher simply ignoring the very effects positive and negative that society will have to endure based on their publication. Governments and society as a whole have already seemingly taken a position counter to that [guardian.co.uk], [2] [slashdot.org], and the result will probably be eventual formal government regulation to better keep dangerous information quiet.

    Your second source is an article about events centered on a high school, where students' rights are limited by the legal doctrine in loco parentis. (sp?) So that also is not an example of how society normally functions.

    For example, there is classified information. If a researcher attempts to publish usable do-it-yourself details for making a nuclear bomb, they may well find themselves locked up.

    Discovery Channel showed a history of the A-bomb a few years ago, which I thought was as good as the best consumer user's manual I've ever had the good fortune of getting bundled with purchase. The tricky step is purifying the radioactive material to weapons grade. After that, assembly is nothing. As a result, teaching particle physics in universities is permitted. What is not permitted is the act of producing weapons grade nuclear material. The good or evil is in an action, not in the knowledge.

    Just because the laws haven't caught up yet to prevent computer security researchers from irresponsibly publishing dangerous information for all to get the most intricate details including ready-to-run attacks, does not mean that it is responsible or good for researchers to do so.

    Facebook dangerously published all the information for all the Black Hats to get the most intricate details, etc., etc. The researchers made that information available to Facebook's customers. Bravo to them!

    --
    All 19 hijackers were known terrorists 09-10-2001. Lack of FBI intelligence does not justify warrantless wiretaps..
  26. 500, not 100 by gr8scot · · Score: 1

    Their staffing and other financial records are available for inspection;

    As a former customer, I'd have more appreciation for the opportunity to inspect their source code.

    lookup their annual reports to see massive spending & staffing in research; there can be no doubts there.

    The SEC exists because unsuccessful corporations have been known to lie, and caught at it. Only a fool has "no doubts" about corporate self-reporting.

    I base this on the existence of Fortune-100 companies whose reason for existence is to deliver security solutions, and have multi-billion$ security budgets to that effect.

    Symantec, is "only" #461, and (AFAIK) it's the largest corp. whose primary product is computer security. This is not nit-picking; your entire argument is based on scale, and the largest of the companies of the type you're discussing, is barely in the Fortune 500, not the 100.

    Speaking of which, have Symantec and McAfee made the Internet safe yet? No. How many more billions of dollars do they want before providing the "security" they've been advertising for over a decade, anyway? Looks exactly like a protection racket to me.

    Keeping consumer product information freely available is always better for the customer. In the specific case of computer security, publishing information about the relative strengths of competing products' access controls allows people to learn better how to "roll our own" solutions, or if we buy corporate security products, more information allows us to choose better purchases. For everybody, and therefore for society as a whole, more available information is better. Deciding what information we want and need, and learning where to get it, is the individual's responsibility. This is existential fact, which means it will not be altered by your acknowledgment, nor by your refusal to acknowledge truth. Agree, or let me decide what information to not allow you to have, about whatever consumer product category I choose.

    The protection of the First Amendment is not limited to speech that you approve.

    --
    All 19 hijackers were known terrorists 09-10-2001. Lack of FBI intelligence does not justify warrantless wiretaps..