Slashdot Mirror
Facebook Hacks Points To Much Bigger Threat For Mobile Developers
DavidGilbert99 writes "Facebook admitted last weekend that it was hacked but assured everyone that no data was compromised. However following some investigation by security firm F-Secure, it seems this could be just the tip of the iceberg and that thousands of mobile app developers without the dedicated security team Facebook has in place could already be compromised. The vector for the attack was a mobile developer's website, and the malware used likely targeted Apple's Mac OS X rather than Windows."
This exploit was through Java. It was on a mobile app development site, which made it more likely to be installed by a developer of mobile apps, but it certainly isn't limited to just mobile developers.
Some people die at 25 and aren't buried until 75. -Benjamin Franklin
"Facebook admitted last weekend that it was hacked but assured everyone that no data was compromised"
Can a hacker really compromise user data any more than the user that freely gave it away?
"If any question why we died, Tell them because our fathers lied."
Can't be that hard to tell! sure it might screw the site over 34023 over but fuck... could just post it.
without the site name this is just f-secure doing what it usually does - astroturfing! I mean there's literally NO NEW INFORMATION. ok, perhaps it's new information that it was java that was used as applet that was used as attack vector.
world was created 5 seconds before this post as it is.
I develop in Java, but I don't have applets enabled in my general web browsing.
OMG. Are you saying that there are developers who use only one browser for everything?
If you are writing mobile software, you need to grasp the shortcomings of the platforms. Reading Hacking & securing iOS Applications was eye opening - and how many devs read it?
Security concerns within Android are even worse. How many know to layer on security beyond what is offered out of the box? Many developers are standardizing on SQLCipher, but what happens when that is the "standard" and becomes a larger target?
Before reading Hacking & securing iOS Applications, the vulnerabilities were all sort of known to me, but the book sort of scared me into digging deeper and further securing my products.
huh, wtf you're smoking? any app you give away to be run in users computers is suspect to the user modifying it. ain't no platform security that works out there. so that book is one big pile of snake oil(of course securing the communications between you and the user to some degree is important.. but you shouldn't blindly trust that information that the client is sending). it's kind of useless to encrypt the "registered or not" db you're using when the key is there in the program. of course platforms have varying degrees of difficulty for people to hack(j2me and non-ndk android being on the easier side, of course).
but the basic idea that you could just trust the client to keep iap information etc secure is just.. stupid. same goes for pc drm of course and this is why diablo and the new sim city are moving game logic into the servers so what the user has becomes just dumbed down client, so hacking it doesn't give access to the sweets.
world was created 5 seconds before this post as it is.
In the next several years, it might be weird to _still_ have a Facebook account. Just like an AOL email, myspace account...
I left FB in 2009 and haven't looked back.
however, the advice is to check your source if you've visited a mobile dev. site in the past couple of months,
That's kind of bad advice though. It covers way too many people.
I don't even have Java installed so I don't need to check anything, as far as this story goes... but it would be really good to know what site EXACTLY was the cause of the problem so we'd know to look out for other ways the site may have been exploited if we visit. I mean, is every mobile developer on the planet now supposed to change the password for every development site just because one got hacked?
And if it's an Android development site then a whole category of Mobile developers don't even need to worry.
It's not like know WHICH site would hurt them that much, developers understand sometimes these things happen. But there's just no realistic way to evaluate and mitigate damage without knowing which site was the problem.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Do check your hosts file though for rouge entries.
The mauve and pastel entries are usually legit though!
Ok then, how did my hosts file get changed?
Privilege escalation, arbitrary code execution.
I don't have permission to write to it, no developer is going to visit a web page and then type in a password into a "webpage would like full access to your system" box.
That point is moot if the exploit doesn't require any interaction.
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
Privilege escalation, arbitrary code execution.
But now you aren't talking Java exploit. You are talking an OSX exploit too. Not impossible, it's just not mentioned at all. It would imply a flaw in OS X that we'd very much like to know about also, yet it's not discussed.
That's the all-around problem, the reporting is incredibly shoddy. Is it just Android developers at risk? Just IOS developers? All Mac users because of a new OS X privilege exploit? We are all in the dark with the article as it was, to the point where we can't tell anything.
"There is more worth loving than we have strength to love." - Brian Jay Stanley