Facebook Hacks Points To Much Bigger Threat For Mobile Developers

DavidGilbert99 writes "Facebook admitted last weekend that it was hacked but assured everyone that no data was compromised. However following some investigation by security firm F-Secure, it seems this could be just the tip of the iceberg and that thousands of mobile app developers without the dedicated security team Facebook has in place could already be compromised. The vector for the attack was a mobile developer's website, and the malware used likely targeted Apple's Mac OS X rather than Windows."

Not just mobile

[schneidafunk]

This exploit was through Java. It was on a mobile app development site, which made it more likely to be installed by a developer of mobile apps, but it certainly isn't limited to just mobile developers.

Re:Not just mobile

[gl4ss]

F-Secure have been trying their damndest to scare people into buying their garbage for Macs, so they'll take any opportunity they can get.

yeah.. having now read it, the investigation uses proof of macs that fb had a mac on a promo picture of their security team(showing some powerpoint or keynote).

that's not an investigation, it's gossip.

Curious

[koan]

"Facebook admitted last weekend that it was hacked but assured everyone that no data was compromised"

Can a hacker really compromise user data any more than the user that freely gave it away?

Re:Curious

[wbr1]

"Facebook admitted last weekend that it was hacked but assured everyone that no data was compromised"

Can a hacker really compromise user data any more than the user that freely gave it away?

By hacked, facebook means, freely given user data was stolen without our tithe.

Re:Yes

[WebManWalking]

I develop in Java, but I don't have applets enabled in my general web browsing.

OMG. Are you saying that there are developers who use only one browser for everything?

Re:How many devs understand security?

[gl4ss]

If you are writing mobile software, you need to grasp the shortcomings of the platforms. Reading Hacking & securing iOS Applications was eye opening - and how many devs read it?

Security concerns within Android are even worse. How many know to layer on security beyond what is offered out of the box? Many developers are standardizing on SQLCipher, but what happens when that is the "standard" and becomes a larger target?

Before reading Hacking & securing iOS Applications, the vulnerabilities were all sort of known to me, but the book sort of scared me into digging deeper and further securing my products.

huh, wtf you're smoking? any app you give away to be run in users computers is suspect to the user modifying it. ain't no platform security that works out there. so that book is one big pile of snake oil(of course securing the communications between you and the user to some degree is important.. but you shouldn't blindly trust that information that the client is sending). it's kind of useless to encrypt the "registered or not" db you're using when the key is there in the program. of course platforms have varying degrees of difficulty for people to hack(j2me and non-ndk android being on the easier side, of course).

but the basic idea that you could just trust the client to keep iap information etc secure is just.. stupid. same goes for pc drm of course and this is why diablo and the new sim city are moving game logic into the servers so what the user has becomes just dumbed down client, so hacking it doesn't give access to the sweets.

Re:What development website was infected?

Do check your hosts file though for rouge entries.

The mauve and pastel entries are usually legit though!