Researchers Build Malicious Facebook App

← Back to Stories (view on slashdot.org)

Researchers Build Malicious Facebook App

Posted by CmdrTaco on Friday September 5, 2008 @10:18AM from the and-the-crowd-goes-wild dept.

narramissic writes "Back in January, a team of researchers uploaded a malicious program to Facebook to demonstrate the possible dangers of social networking applications. Called 'Photo of the Day,' the app serves up a new National Geographic photo daily, but every time it's clicked it sends a 600 K-byte HTTP request for images to a victim's Web site. Photo of the Day is still listed on Facebook, with its authorship attributed to Andreas Makridakis, one of the researchers. The application has 514 active users now, with several comments praising it. The study was published by the Foundation for Research and Technology in Heraklion, Greece, and the Institute for Infocomm Research in Singapore."

30 of 116 comments (clear)

Min score:

Reason:

Sort:

This one's for Bugmenot! by Legion_SB · 2008-09-05 10:20 · Score: 4, Funny

Attack!!

--
'a';DROP TABLE users; SELECT * FROM DATA WHERE name LIKE '%'... if you're reading this, it didn't work.
print this page by A+little+Frenchie · 2008-09-05 10:20 · Score: 2, Informative

http://www.itworld.com/print/54718
Researchers! by goose-incarnated · 2008-09-05 10:23 · Score: 2, Funny

Is there anything we cannot do?

"Here, grab your ankles, this won't hurt a little bit"

(That is a 100% truthful statement)

--
I'm a minority race. Save your vitriol for white people.
1. Re:Researchers! by goose-incarnated · 2008-09-05 11:00 · Score: 3, Insightful
  
  Your points have been duly noted.
  
  *pulls keyboard closer*
  
  However, I feel, very strongly, that when one is willing to acknowledge "The researchers did valuable work", then all those points fall away.
  
  As far as most research work goes (and it makes no difference whether you're in Marine Biology or Description Logics), all we do is publish what we find. Our most used sentence is "Nobody told me I had to find a solution as well". Most of research is simply discovering new problems for others to solve.
  
  (ps, ignore misspellings/errors in this post, Parents came to visit and brought a full bottle of single-malt whiskey, and am pleasantly drunk right now :-))
  
  --
  I'm a minority race. Save your vitriol for white people.
2. Re:Researchers! by fictionpuss · 2008-09-05 11:05 · Score: 3, Insightful
  
  Is this sarcasm which is going over my head?
  
  there are massive numbers of full-time researchers and few full-time bad guys.
  Do you have any figures/research for this or is it opinion?
  
  The "researchers" are helping, providing inspiration, and guidance to would-be part-time bad guys.
  The bad guys who will continue to go on and sell their exploits on international markets? So, the monetary motivation is nothing compared to the motivation generated by researchers?
  Exploits exist. Bad guys have a motivation to find them and keep them secret. Without researchers in the field, the good guys would never be able to fix the exploits.
  What about coming up with a better solution before panning the current situation which seems to work quite well? Do you work in the security field at all?
  Also, Slashdot supports paragraphs.
3. Re:Researchers! by mysidia · 2008-09-05 12:19 · Score: 3, Interesting
  
  I'll concede there are financial motives for crackers to attempt to compromise systems.
  But many, perhaps most crackers who would have that motive alone, are not successful. The financial motive is outweighed unless there is a means or method; unless they think they can succeed with a certain attack. If they find howtos/recipe books online or detailed publications of weaknesses that have not been addressed they are likely to find motive and find significant advantage and success in exploiting that problem and gaining the financial incentive.
  I base this on the existence of Fortune-100 companies whose reason for existence is to deliver security solutions, and have multi-billion$ security budgets to that effect.
  Companies like Symantec and F-Secure are public. Their staffing and other financial records are available for inspection; lookup their annual reports to see massive spending&staffing in research; there can be no doubts there. Script kiddies are secretive, and their exact number and records are not available for inspection.
  I'll concede there is financial motive to compromise security. Both for criminal crackers and for non-criminal researchers. But the motive should be much larger for researchers to constantly find new ways to compromise security.
  As long as the old ways continue to work perfectly fine; crackers can still satisfy their greed.
  Security researchers on the other hand, by definition cannot merely re-discover the same attacks over and over again, they'll lose their funding.
  Some crackers will be searching for new bugs, the bulk of them do not need to, they'll just wait until a new exploit is eventually published by a researcher, or they they can try to buy it. In either case, the research by a third party is what spreads the 'hack' into use.
  People still download and run programs they shouldn't. People still download and run attachments they shouldn't, despite all warnings. Crackers don't have to be creative to try to get the financial incentive. They just have to use information and tools that are all publicly available now.
  I don't think it's all that difficult to make useful but dangerous research information available to the security concerned while making it hard for all except the truly dedicated crackers.
  Tighter publication restraints should help; such as not posting full text online, for free. A $1 or $2 nominal fee for access would generally reduce digestion by the general public, and teenagers without credit card access, who may lack judgement to limit use of security info to responsible purposes.
  An additional aid may be an NDA consumers of publications have to accept to see sensitive research that describes exploits when the exploit effects many people and sites at the time of publication.
  Not to mention.. for-fee articles help cover research costs....
  Both fortunately and unfortunately, the unhampered public posting means anyone who searchers for the right keywords will see it..
4. Re:Researchers! by mysidia · 2008-09-05 15:47 · Score: 2, Interesting
  
  An IDS is a failsafe, last line of defense, and only ever sure to work against a small category of pre-packaged attacks.
  Pattern matching cannot detect the exploit of all types of weaknesses.
  Not all types of weaknesses have a set string or sequence of bits you can reliably search for and ID an attack.
  Generally IDS rules are specific to the most common attack, not the weakness.
  The cracker that wants to evade your IDS and knows how to evade an IDS is likely to be successful.
  E.g. if there is a buffer overflow, it is common for an IDS to look for common shellcode patterns. IDS is unlikely to be able to perform a stateful examination of all the application protocols including fragment assembly and actually detect the overflow condition.
  There is this problem that the overflow has occured already, and chances are the application is already running the malicious code, just as your IDS is detecting it and starting to alert you.
5. Re:Researchers! by fictionpuss · 2008-09-05 16:48 · Score: 3, Interesting
  
  Word is that there are several dozen zero-day Linux kernel exploits on the blackhat market right now. For what it's worth that's anecdotal, but even if that figure is exaggerated, the blackhats are still out powering the whitehats in either number or technical ability.
  If they didn't then they wouldn't exist.
  I'm not going to be able to respond to you point-by-point because of a rather general lack of coherence, so I'm going to pick and choose:
  
  Companies like Symantec and F-Secure are public. Their staffing and other financial records are available for inspection; lookup their annual reports to see massive spending&staffing in research; there can be no doubts there.
  
  My impression was that the R&D was spent on things like Vista compatibility and defending their own protection programs from being disabled as part of the exploit.
  I've never heard of one case of an anti-virus company proactively researching a vulnerability and patching it. There wouldn't seem to be much of a business model to create from that. But if I'm wrong then there should be plenty of evidence - why would they spend the R&D that you mention, and not publicise its positive effects?
  
  Some crackers will be searching for new bugs, the bulk of them do not need to, they'll just wait until a new exploit is eventually published by a researcher, or they they can try to buy it. In either case, the research by a third party is what spreads the 'hack' into use.
  At least in the Linux world, vulnerabilities, once published, tend to have fixes out pretty darn quickly. This is not a winning strategy for a blackhat.
  Also - a researcher who sells to blackhats, is a blackhat by definition.
  
  I don't think it's all that difficult to make useful but dangerous research information available to the security concerned while making it hard for all except the truly dedicated crackers.
  You seem to be describing exactly what happened with the recent DNS server vulnerability?
  
  A $1 or $2 nominal fee for access would generally reduce digestion by the general public, and teenagers without credit card access
  Blackhats are not terribly concerned about copyright infringement. If they didn't hack the server silently to get past the $1 or $2 fee, then they'd use someone elses credit card info.
  Once one copy is made, then the information is available on the blackhat market anyway, except the whitehats have a harder time getting to it.
  
  Both fortunately and unfortunately, the unhampered public posting means anyone who searchers for the right keywords will see it..
  
  Blackhats aren't idly spending their days typing "latest exploit info" into Google. They have their own information market spaces, and they are skilled and efficient at what they do.
  Everything you describe which makes it harder for whitehats is to the benefit of blackhats.
social networking considered harmful by suck_burners_rice · 2008-09-05 10:24 · Score: 5, Funny

First of all, let's get something straight. Social networking is a BAD idea. Especially the sort of social networking that takes place at bars, clubs, parties, etc. The only safe place in the world is safe and sound all by your lonesome in your parents' basement.

--
McCain/Palin '08. Now THAT's hope and change!
1. Re:social networking considered harmful by Bieeanda · 2008-09-05 10:26 · Score: 2, Funny
  
  Oh good, I'm already there.
  Can I order hot pockets over the Internet?
2. Re:social networking considered harmful by goose-incarnated · 2008-09-05 10:29 · Score: 5, Funny
  
  The only safe place in the world is safe and sound all by your lonesome in your parents' basement.
  Here in SA I've got 14cm hunter spiders in my parents basement! Seriously. These things have garden snakes for breakfast, so don't fucking tell me how safe my parents basement is - I only go in there with a team of sherpas and a pack of wolves.
  
  On the plus side, we've very few snakes left.
  
  --
  I'm a minority race. Save your vitriol for white people.
3. Re:social networking considered harmful by Anonymous Coward · 2008-09-05 10:38 · Score: 3, Funny
  
  Not my parents' basement... It is pitch black. You are likely to be eaten by a grue.
4. Re:social networking considered harmful by Brynath · 2008-09-05 10:55 · Score: 2, Interesting
  
  no but you can order a "Bucket o'food" for $75 that will give you 275 "meals"
5. Re:social networking considered harmful by somersault · 2008-09-05 11:07 · Score: 4, Funny
  
  It's not a basement, it's a command centre
  
  --
  which is totally what she said
6. Re:social networking considered harmful by Surt · 2008-09-05 11:14 · Score: 5, Funny
  
  There's a guy a few posts up with some hunter spiders that will take care of that grue for you.
  
  --
  "Who is the Journal of Quantum Physics going to believe?" --Stephen Hawking
BFD(?) by CWRUisTakingMyMoney · 2008-09-05 10:26 · Score: 5, Insightful

So, some researchers used Facebook as a singularly inefficient method of DDoSing someone. Anyone who wants a site taken down will use a botnet or something more reliable (and high-volume) than counting on Facebook users to add the latest greatest app of the day. Am I missing something, or is this really not nearly serious enough even to make /.?

--
Those who anthropomorphize science and/or nature already believe in an intelligent designer.
1. Re:BFD(?) by ohxten · 2008-09-05 10:39 · Score: 2, Insightful
  
  That's why it's here. We don't know. It's up to us geeks to philosophize.
  
  --
  Need an automatic screenshot taker? Try here.
2. Re:BFD(?) by BitHive · 2008-09-05 10:40 · Score: 4, Insightful
  
  No, this is absolutely retarded. This is like saying I've uploaded malicious content to slashdot by telling everyone to click here for free porn where "here" is my victim's website.
3. Re:BFD(?) by aftk2 · 2008-09-05 10:47 · Score: 4, Funny
  
  I clicked it. Who else did? Don't be shy!
  
  --
  concrete5: a cms made for marketing, but strong enough for geeks.
4. Re:BFD(?) by caffeinemessiah · 2008-09-05 10:49 · Score: 2, Interesting
  
  So, some researchers used Facebook as a singularly inefficient method of DDoSing someone.
  
  Agreed. Especially since a user trying to interact with ANYTHING dynamic on a profile page has to CLICK it to enable it. Embed your own "malicious" DDOS flash code into an "application" with some cutesy front end, and have it pull a large NASA image and push it as a form upload to the target site. Basically, once the user clicks your flash/activeX/blaahXY content, you have an array of flash/activeX/blaahXY exploits to exploit.
  Unless of course they figured out a way of activating the dynamic content without the user clicking (this was a hack submitted a while ago as a XSS exploit, local news went nuts about it). Now THAT would be a nice hack, as it would allow the design of apps to counter-stalk (i.e. see who's been viewing your profile).
  
  --
  An old-timer with old-timey ideas.
5. Re:BFD(?) by hdon · 2008-09-05 10:56 · Score: 2, Insightful
  
  I agree 99% with CWRUisTakingMyMoney.
  I have not read the article, but I'd like to point out the possibility that because social networking is a big buzz-word, the experiment is being misrepresented.
  While I don't believe an experiment really proves anything to anyone with a mind of their own, I think we're all way past due to begin thinking about better sandboxing (more precise, efficient, and platform-agnostic) methods for running all the untrustworthy code we do. We ought to have control over how resources of all kinds are allowed to anything we run. It should be trivial to tell your browser what the default outgoing transmission rate for a Facebook app ought to be (but this should not be implemented in the browser -- it should be available for non-web-based software as well) as well as any other resource you can think of.
6. Re:BFD(?) by Clandestine_Blaze · 2008-09-05 11:27 · Score: 5, Funny
  
  You should have linked to Idle, now that's malicious.
  
  --
  Best "String" Ever!
social apps and gadgets by gbh1935 · 2008-09-05 10:27 · Score: 2, Insightful

There are inherent security risks any time you allow code to be executed on a mammoth scale without some serious security inspection and review.
Nothing new... by Tmack · 2008-09-05 10:46 · Score: 2, Informative

I see .swf attack scripts all the time that do the same thing: user clicks to view a .swf, the swf sends a request per second to some other page. Get enough people to click on your "new Flash game" or "sexxy webcam" and you get a DOS (albeit usually weak).
tm

--
Support TBI Research: http://www.raisinhope.org
Re:I don't think I'm the first to say this but... by Captain+Splendid · 2008-09-05 10:46 · Score: 3, Funny

Facebook applications are a nightmare, in my mind.

Good thing, then, that in reality, they're for the most part fun and useful!

--
Linux, you magnificent bastard, I read the fucking manual!
more direct malicious app by Narnie · 2008-09-05 10:53 · Score: 5, Funny

Why not build a more aggressive app and call it something like "Facebook Botnet Webapp Client 2.04.2" and then reward people minion points for delivered spam, DDoS attack packets, and friend referrals. No need to hide it as a beneficial application, people want to belong to something--why else are they on facebook?

--
greed@All_Evils:~#
Oh that's nothing by joe_n_bloe · 2008-09-05 10:59 · Score: 4, Funny

I used to serve a 2mb file of zeros at favicon.ico. I even used a bogus MIME type to give MSIE a fighting chance. Of course MSIE ignored the MIME type and charged ahead anyway.
It's the delivery method, not the payload by Kelson · 2008-09-05 12:04 · Score: 2, Insightful

Using the app to DDOS someone is simply the payload. The point is that:
(a) A trojan was introduced into the ecosystem.
(b) Users installed it.
It's not clear whether the users simply saw it in the directory and installed it, or whether they looked at their friends' apps and said, "Hey, that looks interesting." (Or whether users were promoting it to their friends, like a chain letter.)
The lesson is that social network apps need to be treated with the same caution as apps that you would install on your computer.
Doesn't work. by Puffy+Director+Pants · 2008-09-05 12:43 · Score: 3, Funny

Facebook is still operational.
Mod the main article down. It is redundant. by CFD339 · 2008-09-05 13:02 · Score: 4, Funny

They built a malicious face book application. Big deal. They're all malicious and annoying. The whole damn site is a marketing work to pull personal data about interconnected relationships together for marketing.
"Malicious Facebook App" is like "Table Mesa" (a place in Arizona). Its redundant Mesa means Table in Spanish.

--
The problem with quotes on the internet, is that nobody bothers to check their veracity. -- Abraham Lincoln