Slashdot Mirror

← Back to Stories (view on slashdot.org)

Facebook Hacks Points To Much Bigger Threat For Mobile Developers

Posted by samzenpus on from the protect-ya-neck dept.

DavidGilbert99 writes "Facebook admitted last weekend that it was hacked but assured everyone that no data was compromised. However following some investigation by security firm F-Secure, it seems this could be just the tip of the iceberg and that thousands of mobile app developers without the dedicated security team Facebook has in place could already be compromised. The vector for the attack was a mobile developer's website, and the malware used likely targeted Apple's Mac OS X rather than Windows."

10 of 59 comments (clear)

  1. Not just mobile by schneidafunk · · Score: 5, Informative

    This exploit was through Java. It was on a mobile app development site, which made it more likely to be installed by a developer of mobile apps, but it certainly isn't limited to just mobile developers.

    --
    Some people die at 25 and aren't buried until 75. -Benjamin Franklin
    1. Re:Not just mobile by gl4ss · · Score: 4, Interesting

      F-Secure have been trying their damndest to scare people into buying their garbage for Macs, so they'll take any opportunity they can get.

      yeah.. having now read it, the investigation uses proof of macs that fb had a mac on a promo picture of their security team(showing some powerpoint or keynote).

      that's not an investigation, it's gossip.

      --
      world was created 5 seconds before this post as it is.
  2. Curious by koan · · Score: 5, Insightful

    "Facebook admitted last weekend that it was hacked but assured everyone that no data was compromised"

    Can a hacker really compromise user data any more than the user that freely gave it away?

    --
    "If any question why we died, Tell them because our fathers lied."
    1. Re:Curious by wbr1 · · Score: 4, Insightful

      "Facebook admitted last weekend that it was hacked but assured everyone that no data was compromised"

      Can a hacker really compromise user data any more than the user that freely gave it away?

      By hacked, facebook means, freely given user data was stolen without our tithe.

      --
      Silence is a state of mime.
  3. WHAT FUCKING SITE?!?!? by gl4ss · · Score: 3, Insightful

    Can't be that hard to tell! sure it might screw the site over 34023 over but fuck... could just post it.

    without the site name this is just f-secure doing what it usually does - astroturfing! I mean there's literally NO NEW INFORMATION. ok, perhaps it's new information that it was java that was used as applet that was used as attack vector.

    --
    world was created 5 seconds before this post as it is.
  4. Re:Yes by WebManWalking · · Score: 4, Funny

    I develop in Java, but I don't have applets enabled in my general web browsing.

    OMG. Are you saying that there are developers who use only one browser for everything?

  5. Re:How many devs understand security? by gl4ss · · Score: 4, Interesting

    If you are writing mobile software, you need to grasp the shortcomings of the platforms. Reading Hacking & securing iOS Applications was eye opening - and how many devs read it?

    Security concerns within Android are even worse. How many know to layer on security beyond what is offered out of the box? Many developers are standardizing on SQLCipher, but what happens when that is the "standard" and becomes a larger target?

    Before reading Hacking & securing iOS Applications, the vulnerabilities were all sort of known to me, but the book sort of scared me into digging deeper and further securing my products.

    huh, wtf you're smoking? any app you give away to be run in users computers is suspect to the user modifying it. ain't no platform security that works out there. so that book is one big pile of snake oil(of course securing the communications between you and the user to some degree is important.. but you shouldn't blindly trust that information that the client is sending). it's kind of useless to encrypt the "registered or not" db you're using when the key is there in the program. of course platforms have varying degrees of difficulty for people to hack(j2me and non-ndk android being on the easier side, of course).

    but the basic idea that you could just trust the client to keep iap information etc secure is just.. stupid. same goes for pc drm of course and this is why diablo and the new sim city are moving game logic into the servers so what the user has becomes just dumbed down client, so hacking it doesn't give access to the sweets.

    --
    world was created 5 seconds before this post as it is.
  6. Re:My bad. by GeorgieBoy · · Score: 3, Interesting

    In the next several years, it might be weird to _still_ have a Facebook account. Just like an AOL email, myspace account...

    I left FB in 2009 and haven't looked back.

  7. Re:What development website was infected? by Anonymous Coward · · Score: 4, Funny

    Do check your hosts file though for rouge entries.

    The mauve and pastel entries are usually legit though!

  8. Re:Also, more is involved host files compromised.. by SuperKendall · · Score: 3, Insightful

    Privilege escalation, arbitrary code execution.

    But now you aren't talking Java exploit. You are talking an OSX exploit too. Not impossible, it's just not mentioned at all. It would imply a flaw in OS X that we'd very much like to know about also, yet it's not discussed.

    That's the all-around problem, the reporting is incredibly shoddy. Is it just Android developers at risk? Just IOS developers? All Mac users because of a new OS X privilege exploit? We are all in the dark with the article as it was, to the point where we can't tell anything.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley