Slashdot Mirror
Facebook Hacks Points To Much Bigger Threat For Mobile Developers
DavidGilbert99 writes "Facebook admitted last weekend that it was hacked but assured everyone that no data was compromised. However following some investigation by security firm F-Secure, it seems this could be just the tip of the iceberg and that thousands of mobile app developers without the dedicated security team Facebook has in place could already be compromised. The vector for the attack was a mobile developer's website, and the malware used likely targeted Apple's Mac OS X rather than Windows."
This exploit was through Java. It was on a mobile app development site, which made it more likely to be installed by a developer of mobile apps, but it certainly isn't limited to just mobile developers.
Some people die at 25 and aren't buried until 75. -Benjamin Franklin
Do such creatures exist?
"Facebook admitted last weekend that it was hacked but assured everyone that no data was compromised"
Can a hacker really compromise user data any more than the user that freely gave it away?
"If any question why we died, Tell them because our fathers lied."
If you are developing in java, certainly.
Some people die at 25 and aren't buried until 75. -Benjamin Franklin
I'm an iOS developer, and frequent some development websites - but none I go to use Java. Does anyone know what site is affected? It seems like that would be REALLY useful to know to know if you were potentially impacted.
It's a good thing macs ship without Java by default now, that probably protected a lot of people.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
If you are writing mobile software, you need to grasp the shortcomings of the platforms. Reading Hacking & securing iOS Applications was eye opening - and how many devs read it?
Security concerns within Android are even worse. How many know to layer on security beyond what is offered out of the box? Many developers are standardizing on SQLCipher, but what happens when that is the "standard" and becomes a larger target?
Before reading Hacking & securing iOS Applications, the vulnerabilities were all sort of known to me, but the book sort of scared me into digging deeper and further securing my products.
Can't be that hard to tell! sure it might screw the site over 34023 over but fuck... could just post it.
without the site name this is just f-secure doing what it usually does - astroturfing! I mean there's literally NO NEW INFORMATION. ok, perhaps it's new information that it was java that was used as applet that was used as attack vector.
world was created 5 seconds before this post as it is.
In the next several years, it might be weird to _still_ have a Facebook account. Just like an AOL email, myspace account...
I left FB in 2009 and haven't looked back.
however, the advice is to check your source if you've visited a mobile dev. site in the past couple of months,
That's kind of bad advice though. It covers way too many people.
I don't even have Java installed so I don't need to check anything, as far as this story goes... but it would be really good to know what site EXACTLY was the cause of the problem so we'd know to look out for other ways the site may have been exploited if we visit. I mean, is every mobile developer on the planet now supposed to change the password for every development site just because one got hacked?
And if it's an Android development site then a whole category of Mobile developers don't even need to worry.
It's not like know WHICH site would hurt them that much, developers understand sometimes these things happen. But there's just no realistic way to evaluate and mitigate damage without knowing which site was the problem.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Do check your hosts file though for rouge entries.
This is another thing that just doesn't add up. Lets say I did have Java installed, and visited this rogue site. Ok then, how did my hosts file get changed? I don't have permission to write to it, no developer is going to visit a web page and then type in a password into a "webpage would like full access to your system" box.
To me it seems way more likely that it's not just any developer at risk, but that it was a very targeted attack on small groups of developers (like Facebook).
"There is more worth loving than we have strength to love." - Brian Jay Stanley
It took you hours to sign up and find a relative on facebook?
Ok then, how did my hosts file get changed?
Privilege escalation, arbitrary code execution.
I don't have permission to write to it, no developer is going to visit a web page and then type in a password into a "webpage would like full access to your system" box.
That point is moot if the exploit doesn't require any interaction.
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
I always though FB was just pointless. But a friend of mine was applying for a job, and they wanted to see her facebook page. "I don't have one.", was not an acceptable answer.
This was for a highly paid job in a position of significant trust. I can understand their reasoning. Hiring someone to a position like that you would want to make sure that their FB would not become a cause of embarrassment later.
Note they asked to see her facebook, not for her login, or password.
If I were God, wouldn't I protect my churches from acts of me?
a friend of mine was applying for a job, and they wanted to see her facebook page. "I don't have one.", was not an acceptable answer.
This was for a highly paid job in a position of significant trust. I can understand their reasoning.
I can't.
It is not like it is unheard of people not having a FB account, not even outside the basement dweller circle. If they do not accept as an answer that you do not have an FB account then already at that point the "position of significant trust" have collapsed.
"I have downloaded hundreds and hundreds of records, why would I care if somebody downloads ours?" Robin Pecknold
You seriously don't have a single friend on Teh Facebook? It may be difficult to find a particular person on FB, but to find a reasonable number of acquaintances usually isn't that hard unless you hang out exclusively with FB deniers. It's been so long since I signed up, I can't remember who my first FB "friends" were, but it wasn't hard to find a dozen or so people I knew.
I've had my email address for so long (easily 15+ with the same personal address, almost 10 with my work address) that it's basically public knowledge - if you know my name, you know my email address. It was dicey for a while before spam filters got good. Now, I don't really care who has it. In fact, I keep it on facebook so people I know who might need to really contact me can do so at my "real" email address. (note: they sure as hell don't have my email password)
Don't fret over it...relax, and let people come to you. FB will recommend some (makes for some nice WTF moments at times), some people are obsessed with finding old acquaintances. Turn off all the notifications unless somebody tags or messages you. Check it once every couple of days for 5 minutes. FWIW, I use FB (a) to communicate about hobby stuff (events, coordination, advertising) and (b) to keep in touch with old HS/college buddies and family. All the stupid little stuff that you'd chat about over a beer if you weren't actually separated by hundreds or thousands of miles. It's actually quite useful...as long as you don't pretend that what you post is somehow "secret," you won't get into trouble.
Is it just my observation, or are there way too many stupid people in the world?
Do you use another social networking site, or do you simply not partake in relationships online at all?
Is it just my observation, or are there way too many stupid people in the world?
Privilege escalation, arbitrary code execution.
But now you aren't talking Java exploit. You are talking an OSX exploit too. Not impossible, it's just not mentioned at all. It would imply a flaw in OS X that we'd very much like to know about also, yet it's not discussed.
That's the all-around problem, the reporting is incredibly shoddy. Is it just Android developers at risk? Just IOS developers? All Mac users because of a new OS X privilege exploit? We are all in the dark with the article as it was, to the point where we can't tell anything.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
I did not use any "social networking" site. What did I need that for? I have a phone in my pocket with all my real friends phone numbers stored in it.
If I were God, wouldn't I protect my churches from acts of me?
It must be nice to live in your black and white world. There are far too many shades of grey in my world.
Right or wrong, the fact is that it looks odd if you are applying for a technical job and you don't have a facebook presence.
If my 72 year old mother has a facebook account then EVERYONE has an account.
If I were God, wouldn't I protect my churches from acts of me?
You folks realize that the JVM or any anything of that nature is going to require execute right?
Why's this significant you ask? Cause once the JVM's been exploited an attacker can run just about anything the JVM can, probably through the jvm itself.
Some people don't live in basements and can actually have relationships with people in a non virtual circumstance. It is called real life.
and some people have a social life without having a phone number.
so?
you know what's funny about many facebook pariahs? they have blogs and homepages on which they share everything with everyone.
world was created 5 seconds before this post as it is.
Hiring someone to a position like that you would want to make sure that their FB would not become a cause of embarrassment later.
Then you would think "I find their handling of user privacy to fall well short of my expectations and I find using it an overall time consuming distraction from more important things in my life. Furthermore, as I am applying for a position of significant trust my choice not to maintain a facebook page eliminates the possibility of it ever being a cause of personal or professional embarrassment." would be a perfectly acceptable response.
"I don't have one.", was not an acceptable answer.
Sounds like an HR sub-drone had a field on a form they weren't supposed to leave blank. Their heads tend to explode when you don't have a middle initial either, or a home phone number that isn't your cell number.
You folks realize that the JVM or any anything of that nature is going to require execute right?/eM.
Yes, we ALL know that.
But it doesn't matter for what I was saying. I don't have write access to /etc/hosts, therefore neither does Java in a browser (or anywhere else I run it).
Yes it can do anything else in my home directory but I was warned to "check my hosts file". But why, when the only exploit mentioned is Java and that does not have permission (without an OS X exploit) to modify /etc/hosts.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Obviously you are not a thirteen year old school-girl with no friends. That is the target audience for FB. Nerds come here instead.
Sent from my ASR33 using ASCII
So what are you doing here then? Picture or it didn't happen!
Sent from my ASR33 using ASCII
It's probably more like the Drinking Birdie in "King-Size Homer."
The Simpsons (No. 135)