Facebook Hacks Points To Much Bigger Threat For Mobile Developers

DavidGilbert99 writes "Facebook admitted last weekend that it was hacked but assured everyone that no data was compromised. However following some investigation by security firm F-Secure, it seems this could be just the tip of the iceberg and that thousands of mobile app developers without the dedicated security team Facebook has in place could already be compromised. The vector for the attack was a mobile developer's website, and the malware used likely targeted Apple's Mac OS X rather than Windows."

Not just mobile

[schneidafunk]

This exploit was through Java. It was on a mobile app development site, which made it more likely to be installed by a developer of mobile apps, but it certainly isn't limited to just mobile developers.

Re:Not just mobile

What about MY "bootyhole"? lol

APK

Re:Not just mobile

F-Secure have been trying their damndest to scare people into buying their garbage for Macs, so they'll take any opportunity they can get.

Re:Not just mobile

[gl4ss]

F-Secure have been trying their damndest to scare people into buying their garbage for Macs, so they'll take any opportunity they can get.

yeah.. having now read it, the investigation uses proof of macs that fb had a mac on a promo picture of their security team(showing some powerpoint or keynote).

that's not an investigation, it's gossip.

Developers with Java applets enabled in browsers?

[WebManWalking]

Do such creatures exist?

Curious

[koan]

"Facebook admitted last weekend that it was hacked but assured everyone that no data was compromised"

Can a hacker really compromise user data any more than the user that freely gave it away?

Re:Curious

[wbr1]

"Facebook admitted last weekend that it was hacked but assured everyone that no data was compromised"

Can a hacker really compromise user data any more than the user that freely gave it away?

By hacked, facebook means, freely given user data was stolen without our tithe.

Yes

[schneidafunk]

If you are developing in java, certainly.

Re:Yes

[WebManWalking]

I develop in Java, but I don't have applets enabled in my general web browsing.

OMG. Are you saying that there are developers who use only one browser for everything?

Re:Yes

I develop in Java, but it's all server-side. Most of the Java developers I know of are either server-side or mobile.

Unless you're actually developing applets, why would you want them enabled?

Re:Yes

[thetoadwarrior]

As someone who developed Java for a few years, I never enabled applets. No one really develops applets.

Re:Yes

Why you you bother developing applets? It's 2013 ... right? .... RIGHT?

Re:Yes

It's not that people *want* them enabled. It's that if you perform a default OS X or Windows Java install you *must* give the root / admin password to do the install and, by defaults, Java applets shall be turned on in your browser(s).

I do develop in Java, server-side. And I do install the Java "JDK" in my development account, without giving the root password (because on Linux you can install java without being root).

And my development account cannot access the net.

But most developers aren't using such a setup.

What development website was infected?

[SuperKendall]

I'm an iOS developer, and frequent some development websites - but none I go to use Java. Does anyone know what site is affected? It seems like that would be REALLY useful to know to know if you were potentially impacted.

It's a good thing macs ship without Java by default now, that probably protected a lot of people.

Re:What development website was infected?

[Synerg1y]

If it's in the news, you can probably assume that the treat's been neutralized, however, the advice is to check your source if you've visited a mobile dev. site in the past couple of months, which on your profession would be everybody. However, interestingly enough I can't seem to find any mention of specific mobile dev sites. Do check your hosts file though for rouge entries.

Re:What development website was infected?

It's a good thing macs ship without Java by default now, that probably protected a lot of people.

Yes, good thing. FSM knows they can't protect themselves.

Re:What development website was infected?

Do check your hosts file though for rouge entries.

The mauve and pastel entries are usually legit though!

Re:What development website was infected?

If it's in the news, you can probably assume that the treat's been neutralized

Having your system compromised is a treat?

How many devs understand security?

[hsmith]

If you are writing mobile software, you need to grasp the shortcomings of the platforms. Reading Hacking & securing iOS Applications was eye opening - and how many devs read it?

Security concerns within Android are even worse. How many know to layer on security beyond what is offered out of the box? Many developers are standardizing on SQLCipher, but what happens when that is the "standard" and becomes a larger target?

Before reading Hacking & securing iOS Applications, the vulnerabilities were all sort of known to me, but the book sort of scared me into digging deeper and further securing my products.

Re:How many devs understand security?

[gl4ss]

If you are writing mobile software, you need to grasp the shortcomings of the platforms. Reading Hacking & securing iOS Applications was eye opening - and how many devs read it?

Security concerns within Android are even worse. How many know to layer on security beyond what is offered out of the box? Many developers are standardizing on SQLCipher, but what happens when that is the "standard" and becomes a larger target?

Before reading Hacking & securing iOS Applications, the vulnerabilities were all sort of known to me, but the book sort of scared me into digging deeper and further securing my products.

huh, wtf you're smoking? any app you give away to be run in users computers is suspect to the user modifying it. ain't no platform security that works out there. so that book is one big pile of snake oil(of course securing the communications between you and the user to some degree is important.. but you shouldn't blindly trust that information that the client is sending). it's kind of useless to encrypt the "registered or not" db you're using when the key is there in the program. of course platforms have varying degrees of difficulty for people to hack(j2me and non-ndk android being on the easier side, of course).

but the basic idea that you could just trust the client to keep iap information etc secure is just.. stupid. same goes for pc drm of course and this is why diablo and the new sim city are moving game logic into the servers so what the user has becomes just dumbed down client, so hacking it doesn't give access to the sweets.

Re:How many devs understand security?

[hsmith]

Most developers aren't experts in security, that is the point. Most haven't invested the time learning how to secure software. Most told "build us a mobile App" don't quite grasp all the security ramifications that go along with it.

huh, wtf you're smoking?

has no relevance to what I wrote

Re:How many devs understand security?

I guess he meant that security was part of the developer's job.
The same points are valid whatever kind of program you write that will interact with a server.
The problem is that so many people think they can become a dev in a couple weeks...

Re:How many devs understand security?

Why are you linking to such shithead company as B&N? One can find that book available on multiple sites, less than 1/2 the B&N price as ebook. Even free as 21 day download from most libraries.

WHAT FUCKING SITE?!?!?

[gl4ss]

Can't be that hard to tell! sure it might screw the site over 34023 over but fuck... could just post it.

without the site name this is just f-secure doing what it usually does - astroturfing! I mean there's literally NO NEW INFORMATION. ok, perhaps it's new information that it was java that was used as applet that was used as attack vector.

Re:WHAT FUCKING SITE?!?!?

[WebManWalking]

Astroturfing was the word that occurred to me too. I almost submitted it as a tag, in fact. Or maybe slashvertizement (however that's spelled).

It's like those news website articles with misleading title (or question as title) hotlinks to entice you to visit the article. The more page hits, the more advertizing sold. Only in this case, they're trying to generate hits on F-Secure's website. If that's your intent, you cannot give away information up front. It would defeat the purpose.

I suppose it helps to get angry at them (if they hear about your anger somehow). It lets them know that their teasing technique isn't building the sort of goodwill that could result in a customer, at least not in those who see through it.

Re:WHAT FUCKING SITE?!?!?

[gl4ss]

I suppose it helps to get angry at them (if they hear about your anger somehow). It lets them know that their teasing technique isn't building the sort of goodwill that could result in a customer, at least not in those who see through it.

well their target isn't really people who decide this stuff anymore, on their own anyways, but guys who work at companies and isp's and who decide which product they should bundle(not users that is) with their offering.

on and off (depending on year) their sw is harder to remove than malware too.. but this reeks of them trying to advertise their mac product..

My bad.

[Capt.DrumkenBum]

After years of facebook hate. I finally surrendered and created an account. (Only because not having one is starting to look strange.)
Hours of fighting, cursing, and seriously elevated blood pressure later I was signed up and had found one relative. It was probably not a hack, just me trying to find a way to add someone without giving facebook my email credentials.
Facebook can have access to my email when they pry the credentials from my cold dead hands!

Re:My bad.

[GeorgieBoy]

In the next several years, it might be weird to _still_ have a Facebook account. Just like an AOL email, myspace account...

I left FB in 2009 and haven't looked back.

Re:My bad.

It took you hours to sign up and find a relative on facebook?

Re:My bad.

[Capt.DrumkenBum]

I always though FB was just pointless. But a friend of mine was applying for a job, and they wanted to see her facebook page. "I don't have one.", was not an acceptable answer.
This was for a highly paid job in a position of significant trust. I can understand their reasoning. Hiring someone to a position like that you would want to make sure that their FB would not become a cause of embarrassment later.
Note they asked to see her facebook, not for her login, or password.

Re:My bad.

[TheP4st]

a friend of mine was applying for a job, and they wanted to see her facebook page. "I don't have one.", was not an acceptable answer.

This was for a highly paid job in a position of significant trust. I can understand their reasoning.

I can't.

It is not like it is unheard of people not having a FB account, not even outside the basement dweller circle. If they do not accept as an answer that you do not have an FB account then already at that point the "position of significant trust" have collapsed.

Re:My bad.

[Overzeetop]

Do you use another social networking site, or do you simply not partake in relationships online at all?

Re:My bad.

Some people don't live in basements and can actually have relationships with people in a non virtual circumstance. It is called real life.

Re:My bad.

[Capt.DrumkenBum]

I did not use any "social networking" site. What did I need that for? I have a phone in my pocket with all my real friends phone numbers stored in it.

Re:My bad.

[Capt.DrumkenBum]

It must be nice to live in your black and white world. There are far too many shades of grey in my world.
Right or wrong, the fact is that it looks odd if you are applying for a technical job and you don't have a facebook presence.
If my 72 year old mother has a facebook account then EVERYONE has an account.

Re:My bad.

[gl4ss]

Some people don't live in basements and can actually have relationships with people in a non virtual circumstance. It is called real life.

and some people have a social life without having a phone number.

so?

you know what's funny about many facebook pariahs? they have blogs and homepages on which they share everything with everyone.

Re:My bad.

[vux984]

Hiring someone to a position like that you would want to make sure that their FB would not become a cause of embarrassment later.

Then you would think "I find their handling of user privacy to fall well short of my expectations and I find using it an overall time consuming distraction from more important things in my life. Furthermore, as I am applying for a position of significant trust my choice not to maintain a facebook page eliminates the possibility of it ever being a cause of personal or professional embarrassment." would be a perfectly acceptable response.

"I don't have one.", was not an acceptable answer.

Sounds like an HR sub-drone had a field on a form they weren't supposed to leave blank. Their heads tend to explode when you don't have a middle initial either, or a home phone number that isn't your cell number.

Re:My bad.

[Anne+Thwacks]

I always though FB was just pointless.

Obviously you are not a thirteen year old school-girl with no friends. That is the target audience for FB. Nerds come here instead.

Re:My bad.

[Anne+Thwacks]

I have a phone in my pocket with all my real friends phone numbers stored in it.

So what are you doing here then? Picture or it didn't happen!

Re:My bad.

In the next several years, it might be weird to _still_ have a Facebook account. Just like an AOL email, myspace account...

I left FB in 2009 and haven't looked back.

Me weirdo. MySpace is pretty good for music actually. All the agencies piled in on behalf of their performer clients years ago and maintain their pages.

I don't use it much, but very occasionally listen to new stuff there.

Re:My bad.

Yes, you have to maintain a limited presence for that reason, and the psych profilers.

Just tie a few feeds together, e.g. you post some pix to flickr they get tweeted, then if you blog one somewhere, it proliferates to G+, Tumblr and FB etc. Combine with a few likes here and there, the odd comment and you're done. An apparent well adjusted online blah blah... Will even get you a Klout score around the 40 mark.

Re:My bad.

Soo.. in your 'shades of grey' world, a singular fact - not having a facebook account, by default 'looks odd',
and it is also not 'black and white' for 'I don't have a facebook account' to by-default 'not be acceptable'?

Please, tell me more about this fascinatingly deep and multifaceted grayscale universe you live in!

That's way too broad

[SuperKendall]

however, the advice is to check your source if you've visited a mobile dev. site in the past couple of months,

That's kind of bad advice though. It covers way too many people.

I don't even have Java installed so I don't need to check anything, as far as this story goes... but it would be really good to know what site EXACTLY was the cause of the problem so we'd know to look out for other ways the site may have been exploited if we visit. I mean, is every mobile developer on the planet now supposed to change the password for every development site just because one got hacked?

And if it's an Android development site then a whole category of Mobile developers don't even need to worry.

It's not like know WHICH site would hurt them that much, developers understand sometimes these things happen. But there's just no realistic way to evaluate and mitigate damage without knowing which site was the problem.

Also, more is involved host files compromised...

[SuperKendall]

Do check your hosts file though for rouge entries.

This is another thing that just doesn't add up. Lets say I did have Java installed, and visited this rogue site. Ok then, how did my hosts file get changed? I don't have permission to write to it, no developer is going to visit a web page and then type in a password into a "webpage would like full access to your system" box.

To me it seems way more likely that it's not just any developer at risk, but that it was a very targeted attack on small groups of developers (like Facebook).

Re:Also, more is involved host files compromised..

[amicusNYCL]

Ok then, how did my hosts file get changed?

Privilege escalation, arbitrary code execution.

I don't have permission to write to it, no developer is going to visit a web page and then type in a password into a "webpage would like full access to your system" box.

That point is moot if the exploit doesn't require any interaction.

You're doing it wrong

[Overzeetop]

You seriously don't have a single friend on Teh Facebook? It may be difficult to find a particular person on FB, but to find a reasonable number of acquaintances usually isn't that hard unless you hang out exclusively with FB deniers. It's been so long since I signed up, I can't remember who my first FB "friends" were, but it wasn't hard to find a dozen or so people I knew.

I've had my email address for so long (easily 15+ with the same personal address, almost 10 with my work address) that it's basically public knowledge - if you know my name, you know my email address. It was dicey for a while before spam filters got good. Now, I don't really care who has it. In fact, I keep it on facebook so people I know who might need to really contact me can do so at my "real" email address. (note: they sure as hell don't have my email password)

Don't fret over it...relax, and let people come to you. FB will recommend some (makes for some nice WTF moments at times), some people are obsessed with finding old acquaintances. Turn off all the notifications unless somebody tags or messages you. Check it once every couple of days for 5 minutes. FWIW, I use FB (a) to communicate about hobby stuff (events, coordination, advertising) and (b) to keep in touch with old HS/college buddies and family. All the stupid little stuff that you'd chat about over a beer if you weren't actually separated by hundreds or thousands of miles. It's actually quite useful...as long as you don't pretend that what you post is somehow "secret," you won't get into trouble.

Re:Also, more is involved host files compromised..

[SuperKendall]

Privilege escalation, arbitrary code execution.

But now you aren't talking Java exploit. You are talking an OSX exploit too. Not impossible, it's just not mentioned at all. It would imply a flaw in OS X that we'd very much like to know about also, yet it's not discussed.

That's the all-around problem, the reporting is incredibly shoddy. Is it just Android developers at risk? Just IOS developers? All Mac users because of a new OS X privilege exploit? We are all in the dark with the article as it was, to the point where we can't tell anything.

2 things

when will you people realize the java plugin is a dumb thing to have on your website, you can do a lot with javascript and html5 these days, you dont even need flash anymore.

secondly in other facebook related news,

Facebook managed record profits of roughly $1 billion for the full year. Despite its huge profit in 2012, Facebook will pay no federal or state taxes on its income — in fact it will get a $429 million refund instead, thanks to a tax reduction for executive stock options. Fox News reports that Facebook will continue to get huge tax breaks totaling about $3 billion in the coming years, as well.

when will people see the connection here ^^ looking more like a government op.

Re:2 things

You so edgy!

Re:Also, more is involved host files compromised..

[Synerg1y]

You folks realize that the JVM or any anything of that nature is going to require execute right?

Why's this significant you ask? Cause once the JVM's been exploited an attacker can run just about anything the JVM can, probably through the jvm itself.

Facebook hacks points

"hacks points"? Seriously? Is Slashdot edited by a chicken that randomly pecks at the "Approve" and "Reject" buttons?

Re:Facebook hacks points

[ti-85]

It's probably more like the Drinking Birdie in "King-Size Homer."

The Simpsons (No. 135)

Execute is not privilege

[SuperKendall]

You folks realize that the JVM or any anything of that nature is going to require execute right?/eM.

Yes, we ALL know that.

But it doesn't matter for what I was saying. I don't have write access to /etc/hosts, therefore neither does Java in a browser (or anywhere else I run it).

Yes it can do anything else in my home directory but I was warned to "check my hosts file". But why, when the only exploit mentioned is Java and that does not have permission (without an OS X exploit) to modify /etc/hosts.

Re:Execute is not privilege

[Synerg1y]

That's the thing with slashdot articles, they refer to it as a JAVA exploit... so in the world of security there is no 1 magic key master king exploit that does everything in one step. Things happen in series: Java gets exploited, access to the system is gained: and then something else is run to escalate privilege or gain access to an account, or simply report information. So via the Java exploit, "payloads" get delivered, which can do things like write to the hosts file. Consider how a lot of scareware gets on people's systems and one of the first things to get modified is usually the hosts config file.

I'll say it again

[slashmydots]

MACS DO NOT BELONG IN THE WORKPLACE! Besides being incompatible with everything in the entire universe, they are a targeted attack waiting to happen. They're like SCADA controllers if SCADA controllers had a following of obsessed fan who know very little about technology and never listen to reason about their products.

Re:I'll say it again

MACS DO NOT BELONG IN THE WORKPLACE! Besides being incompatible with everything in the entire universe, they are a targeted attack waiting to happen. They're like SCADA controllers if SCADA controllers had a following of obsessed fan who know very little about technology and never listen to reason about their products.

EXACTLY....can't wait to see how apple responds to this security flaw after promoting they can't be hacked or their systems compromised.

WTF is it with impersonating me?

Grow up & cut that crap out you immature geek angst riddled moron.

* You, definitely have "issues", no questions asked!

APK

P.S.=> The REAL apk that is, not that idiotic little troll fake I just replied to (that's probably "AnGrY" I got the better of him in a technical debate, like this one yesterday -> http://yro.slashdot.org/comments.pl?sid=3472325&cid=42940435

... apk