Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Researchers Build Malicious Facebook App

CmdrTaco posted about 6 years ago | from the and-the-crowd-goes-wild dept.

Security 116

narramissic writes "Back in January, a team of researchers uploaded a malicious program to Facebook to demonstrate the possible dangers of social networking applications. Called 'Photo of the Day,' the app serves up a new National Geographic photo daily, but every time it's clicked it sends a 600 K-byte HTTP request for images to a victim's Web site. Photo of the Day is still listed on Facebook, with its authorship attributed to Andreas Makridakis, one of the researchers. The application has 514 active users now, with several comments praising it. The study was published by the Foundation for Research and Technology in Heraklion, Greece, and the Institute for Infocomm Research in Singapore."

cancel ×

116 comments

Sorry! There are no comments related to the filter you selected.

This one's for Bugmenot! (4, Funny)

Legion_SB (1300215) | about 6 years ago | (#24895217)

Attack!!

Re:This one's for Bugmenot! (1)

solitas (916005) | about 6 years ago | (#24897223)

Yeah, good! If they call it "bugmenot" then facebook users won't be able to tell/warn OTHER facebook users about it.

http://tech.slashdot.org/article.pl?sid=08/09/05/1741207 [slashdot.org]

Re:This one's for Bugmenot! (1)

JackieBrown (987087) | about 6 years ago | (#24897739)

Did you really feel the need to explain the joke?

Both stories are on the front page!

AC Builds Benevolent Frost Posting App (-1, Offtopic)

Anonymous Coward | about 6 years ago | (#24895243)

details to follow

I don't think I'm the first to say this but... (0)

Anonymous Coward | about 6 years ago | (#24895259)

Duh.

Facebook applications are a nightmare, in my mind.

Re:I don't think I'm the first to say this but... (3, Funny)

Captain Splendid (673276) | about 6 years ago | (#24895553)

Facebook applications are a nightmare, in my mind.

Good thing, then, that in reality, they're for the most part fun and useful!

Re:I don't think I'm the first to say this but... (1)

mini me (132455) | about 6 years ago | (#24897141)

The Facebook API had so much potential, but all the junk applications have made it impossible to weed out the bad applications from the good ones ultimately giving all Facebook applications a bad rap.

Re:I don't think I'm the first to say this but... (1)

NotBornYesterday (1093817) | about 6 years ago | (#24895991)

Bah. Other than the 600kb request, how much different is this than a good slashdotting?

Re:I don't think I'm the first to say this but... (1, Funny)

Anonymous Coward | about 6 years ago | (#24896771)

Other than that, Mrs. Lincoln, how did you enjoy the play?

Re:I don't think I'm the first to say this but... (1)

hangareighteen (31788) | about 6 years ago | (#24896643)

Mr. Izzard?

Researchers! (2, Funny)

goose-incarnated (1145029) | about 6 years ago | (#24895267)

Is there anything we cannot do?

"Here, grab your ankles, this won't hurt a little bit"

(That is a 100% truthful statement)

Re:Researchers! (1, Interesting)

mysidia (191772) | about 6 years ago | (#24895519)

Heh. Researchers experiment with anything malicious they want in the name of research, and publish their findings widely for the bad guys to consume.

With the tenuous justification "the bad guys would have surely come up with this already"

I'll accept the bad guys find these things out on their own, eventually too. But there are massive numbers of full-time researchers and few full-time bad guys.

Plus not that many bad guys will think of X attack; at least not until there are news articles or a fad, other well-known bad apps to mimick.

The "researchers" are helping, providing inspiration, and guidance to would-be part-time bad guys.

If the wannabe-bad-guys thought of using a facebook application to attack a third party before, now they most certainly have been inspired by this "research" and are dilligently racing, trying to be the first to take real advantage of the weakness!

When will we as a society stop giving positive recognition of any of these teams of "researchers" who do things that are trivial (but inspire bad guys) and paper news services with press releases?

I expect researchers to concentrate on the harder task of how to harden things and make them more secure.

Merely pointing out how horribly insecure things are is destructive not constructive.

Sorry, but it was pretty obvious to people familiar with Facebook apps and computer security, that this weakness existed.

Nothing novel or valuable has really been found here; except things that should have been reported to the site admins to be fixed.

The researchers did valuable work, but it's clear that the worldwide security threat of releasing the information to third parties is greater.

Re:Researchers! (3, Insightful)

goose-incarnated (1145029) | about 6 years ago | (#24895683)

Your points have been duly noted.

*pulls keyboard closer*

However, I feel, very strongly, that when one is willing to acknowledge "The researchers did valuable work", then all those points fall away.

As far as most research work goes (and it makes no difference whether you're in Marine Biology or Description Logics), all we do is publish what we find. Our most used sentence is "Nobody told me I had to find a solution as well". Most of research is simply discovering new problems for others to solve.

(ps, ignore misspellings/errors in this post, Parents came to visit and brought a full bottle of single-malt whiskey, and am pleasantly drunk right now :-))

Re:Researchers! (3, Insightful)

fictionpuss (1136565) | about 6 years ago | (#24895729)

Is this sarcasm which is going over my head?

there are massive numbers of full-time researchers and few full-time bad guys.

Do you have any figures/research for this or is it opinion?

The "researchers" are helping, providing inspiration, and guidance to would-be part-time bad guys.

The bad guys who will continue to go on and sell their exploits on international markets? So, the monetary motivation is nothing compared to the motivation generated by researchers?

Exploits exist. Bad guys have a motivation to find them and keep them secret. Without researchers in the field, the good guys would never be able to fix the exploits.

What about coming up with a better solution before panning the current situation which seems to work quite well? Do you work in the security field at all?

Also, Slashdot supports paragraphs.

Re:Researchers! (3, Interesting)

mysidia (191772) | about 6 years ago | (#24896307)

I'll concede there are financial motives for crackers to attempt to compromise systems.

But many, perhaps most crackers who would have that motive alone, are not successful. The financial motive is outweighed unless there is a means or method; unless they think they can succeed with a certain attack. If they find howtos/recipe books online or detailed publications of weaknesses that have not been addressed they are likely to find motive and find significant advantage and success in exploiting that problem and gaining the financial incentive.

I base this on the existence of Fortune-100 companies whose reason for existence is to deliver security solutions, and have multi-billion$ security budgets to that effect.

Companies like Symantec and F-Secure are public. Their staffing and other financial records are available for inspection; lookup their annual reports to see massive spending&staffing in research; there can be no doubts there. Script kiddies are secretive, and their exact number and records are not available for inspection.

I'll concede there is financial motive to compromise security. Both for criminal crackers and for non-criminal researchers. But the motive should be much larger for researchers to constantly find new ways to compromise security.

As long as the old ways continue to work perfectly fine; crackers can still satisfy their greed.

Security researchers on the other hand, by definition cannot merely re-discover the same attacks over and over again, they'll lose their funding.

Some crackers will be searching for new bugs, the bulk of them do not need to, they'll just wait until a new exploit is eventually published by a researcher, or they they can try to buy it. In either case, the research by a third party is what spreads the 'hack' into use.

People still download and run programs they shouldn't. People still download and run attachments they shouldn't, despite all warnings. Crackers don't have to be creative to try to get the financial incentive. They just have to use information and tools that are all publicly available now.

I don't think it's all that difficult to make useful but dangerous research information available to the security concerned while making it hard for all except the truly dedicated crackers.

Tighter publication restraints should help; such as not posting full text online, for free. A $1 or $2 nominal fee for access would generally reduce digestion by the general public, and teenagers without credit card access, who may lack judgement to limit use of security info to responsible purposes.

An additional aid may be an NDA consumers of publications have to accept to see sensitive research that describes exploits when the exploit effects many people and sites at the time of publication.

Not to mention.. for-fee articles help cover research costs....

Both fortunately and unfortunately, the unhampered public posting means anyone who searchers for the right keywords will see it..

Re:Researchers! (1)

bluefoxlucid (723572) | about 6 years ago | (#24897367)

If they find howtos/recipe books online or detailed publications of weaknesses that have not been addressed they are likely to find motive and find significant advantage and success in exploiting that problem and gaining the financial incentive.

WRONG.

Your secret, unpublished exploits work extremely well because we can't catch them with an IDS. Shit we know about we can see.

It's like if you know there's a cave that leads directly under a military base. You have to dig up from inside the cave to surface, there's no way out into the base; but it does go under the base, and it's down about 6 feet.

Tell the base commander, and he probably won't post guard. It's more advantageous to not worry about it. Run a report about egregious failings in base security, guards are there 5 minutes after you release the report. Enemies would be there, but they'd be the ones that would attack the front gate anyway because as soon as they show up their covert attack gets discovered and we send back-up to wipe 'em out. The advantage of using that attack venue is lost.

Re:Researchers! (2, Interesting)

mysidia (191772) | about 6 years ago | (#24897661)

An IDS is a failsafe, last line of defense, and only ever sure to work against a small category of pre-packaged attacks.

Pattern matching cannot detect the exploit of all types of weaknesses.

Not all types of weaknesses have a set string or sequence of bits you can reliably search for and ID an attack.

Generally IDS rules are specific to the most common attack, not the weakness.

The cracker that wants to evade your IDS and knows how to evade an IDS is likely to be successful.

E.g. if there is a buffer overflow, it is common for an IDS to look for common shellcode patterns. IDS is unlikely to be able to perform a stateful examination of all the application protocols including fragment assembly and actually detect the overflow condition.

There is this problem that the overflow has occured already, and chances are the application is already running the malicious code, just as your IDS is detecting it and starting to alert you.

Re:Researchers! (3, Interesting)

fictionpuss (1136565) | about 6 years ago | (#24897947)

Word is that there are several dozen zero-day Linux kernel exploits on the blackhat market right now. For what it's worth that's anecdotal, but even if that figure is exaggerated, the blackhats are still out powering the whitehats in either number or technical ability.

If they didn't then they wouldn't exist.

I'm not going to be able to respond to you point-by-point because of a rather general lack of coherence, so I'm going to pick and choose:

Companies like Symantec and F-Secure are public. Their staffing and other financial records are available for inspection; lookup their annual reports to see massive spending&staffing in research; there can be no doubts there.

My impression was that the R&D was spent on things like Vista compatibility and defending their own protection programs from being disabled as part of the exploit.

I've never heard of one case of an anti-virus company proactively researching a vulnerability and patching it. There wouldn't seem to be much of a business model to create from that. But if I'm wrong then there should be plenty of evidence - why would they spend the R&D that you mention, and not publicise its positive effects?

Some crackers will be searching for new bugs, the bulk of them do not need to, they'll just wait until a new exploit is eventually published by a researcher, or they they can try to buy it. In either case, the research by a third party is what spreads the 'hack' into use.

At least in the Linux world, vulnerabilities, once published, tend to have fixes out pretty darn quickly. This is not a winning strategy for a blackhat.

Also - a researcher who sells to blackhats, is a blackhat by definition.

I don't think it's all that difficult to make useful but dangerous research information available to the security concerned while making it hard for all except the truly dedicated crackers.

You seem to be describing exactly what happened with the recent DNS server vulnerability?

A $1 or $2 nominal fee for access would generally reduce digestion by the general public, and teenagers without credit card access

Blackhats are not terribly concerned about copyright infringement. If they didn't hack the server silently to get past the $1 or $2 fee, then they'd use someone elses credit card info.

Once one copy is made, then the information is available on the blackhat market anyway, except the whitehats have a harder time getting to it.

Both fortunately and unfortunately, the unhampered public posting means anyone who searchers for the right keywords will see it..

Blackhats aren't idly spending their days typing "latest exploit info" into Google. They have their own information market spaces, and they are skilled and efficient at what they do.

Everything you describe which makes it harder for whitehats is to the benefit of blackhats.

Re:Researchers! (0)

Anonymous Coward | about 6 years ago | (#24899989)

What good would a Kernel exploit do? Most kernel exploits you need to have shell access to make use of. Just because there are fixes out quick doesn't mean people use them. If you have ever been privy to the computer underground I think you would understand that there are far less people out there with skills to write exploits than you think.

Mods on crack (-1, Troll)

goose-incarnated (1145029) | about 6 years ago | (#24895981)

Oh FCOL, who the fuck moderated this as troll - c'mon - play nicely here - over the last few days it seems that a metric fuckton of non-troll and/or non-flamebait posts have been modded most unfairly. Who the hell is getting modpoints these days?

Re:Mods on crack (1)

Hal_Porter (817932) | about 6 years ago | (#24898709)

Oh FCOL, who the fuck moderated this as troll - c'mon - play nicely here - over the last few days it seems that a metric fuckton of non-troll and/or non-flamebait posts have been modded most unfairly. Who the hell is getting modpoints these days?

Mod Parent down

-1 Censored.

Re:Researchers! (1)

maxume (22995) | about 6 years ago | (#24895743)

Obviously you have never anally raped goatse guy.

Re:Researchers! (1)

goose-incarnated (1145029) | about 6 years ago | (#24895781)

And you've obviously never seen some of these research grants. How do you think the goatse guy got that way i the first place?

Re:Researchers! (0)

Anonymous Coward | about 6 years ago | (#24896195)

Practice, practice, practice!

Re:Researchers! (1)

goose-incarnated (1145029) | about 6 years ago | (#24896441)

Or "grants grants grants" :-)

social networking considered harmful (5, Funny)

suck_burners_rice (1258684) | about 6 years ago | (#24895287)

First of all, let's get something straight. Social networking is a BAD idea. Especially the sort of social networking that takes place at bars, clubs, parties, etc. The only safe place in the world is safe and sound all by your lonesome in your parents' basement.

Re:social networking considered harmful (2, Funny)

Bieeanda (961632) | about 6 years ago | (#24895309)

Oh good, I'm already there.

Can I order hot pockets over the Internet?

Re:social networking considered harmful (2, Interesting)

Brynath (522699) | about 6 years ago | (#24895649)

no but you can order a "Bucket o'food [gizmodo.com] " for $75 that will give you 275 "meals"

Re:social networking considered harmful (1)

Hal_Porter (817932) | about 6 years ago | (#24898749)

I love this comment

Why not just cut the bullshit, mix it all together and label it "Bachelor Chow"?

Re:social networking considered harmful (1)

crossmr (957846) | about 6 years ago | (#24898913)

Just log in to Everquest and type /hotpockets

Re:social networking considered harmful (5, Funny)

goose-incarnated (1145029) | about 6 years ago | (#24895347)

The only safe place in the world is safe and sound all by your lonesome in your parents' basement.

Here in SA I've got 14cm hunter spiders in my parents basement! Seriously. These things have garden snakes for breakfast, so don't fucking tell me how safe my parents basement is - I only go in there with a team of sherpas and a pack of wolves.

On the plus side, we've very few snakes left.

Re:social networking considered harmful (1)

sphealey (2855) | about 6 years ago | (#24895823)

> On the plus side, we've very few snakes left.

Unfortunately, we depend on the snakes to keep the rats under control.

sPh

Re:social networking considered harmful (1)

goose-incarnated (1145029) | about 6 years ago | (#24895865)

The spiders do that as well. Bloody hell, they would get mistaken for tarantulas, only tarantulas are not that aggressive or large.

Welcome to South Africa, have a nice day, oh, and by the way, stay away from anything furry with eight legs and a social problem.

Re:social networking considered harmful (1)

TheLink (130905) | about 6 years ago | (#24898495)

So let me get this right, Natalie Portman would be petrified in your parents' basement?

Re:social networking considered harmful (1)

MPAB (1074440) | about 6 years ago | (#24899593)

On the plus side, we've very few snakes left.

We could let your spiders loose on planes!

Re:social networking considered harmful (3, Funny)

Anonymous Coward | about 6 years ago | (#24895447)

Not my parents' basement... It is pitch black. You are likely to be eaten by a grue.

Re:social networking considered harmful (5, Funny)

Surt (22457) | about 6 years ago | (#24895847)

There's a guy a few posts up with some hunter spiders that will take care of that grue for you.

Re:social networking considered harmful (1)

ksd1337 (1029386) | about 6 years ago | (#24896263)

I've got some sharks with lasers on their forehead to take care of those hunter spiders.

Re:social networking considered harmful (1)

cyberstealth1024 (860459) | about 6 years ago | (#24896425)

I've seen those spiders. The sharks with lasers have got nothing on those spiders. Hope you have a nice insurance policy for the sharks!

Re:social networking considered harmful (0)

Anonymous Coward | about 6 years ago | (#24896741)

I'm sure the sharks with lasers will do, unless those are laser spiders, then the sharks have no hope.

Re:social networking considered harmful (1)

kramulous (977841) | about 6 years ago | (#24897479)

But ... but .. we've got some dangerous critters as well! Our jellyfish are considered badarse! They don't even need lasers. They're more touchy-feely. Much worse in a basement. One full of sea water that is.

Re:social networking considered harmful (1)

MiniMike (234881) | about 6 years ago | (#24897373)

Right. Prepare to have spiders with lasers on their forehead (and nice sharkskin boots on all eight feet).

Re:social networking considered harmful (1)

MPAB (1074440) | about 6 years ago | (#24899599)

And a beowulf cluster of those!

Re:social networking considered harmful (0)

Anonymous Coward | about 6 years ago | (#24895503)

First of all, let's get something straight. Social networking is a BAD idea. Especially the sort of social networking that takes place at bars, clubs, parties, etc. The only safe place in the world is safe and sound all by your lonesome in your parents' basement.

Insightful? I must be reading Slashdot!

Re:social networking considered harmful (-1, Flamebait)

Anonymous Coward | about 6 years ago | (#24895619)

Gah, someone mod him down -1;Flamebait

Re:social networking considered harmful (1, Funny)

Anonymous Coward | about 6 years ago | (#24895671)

The only safe place in the world is safe and sound all by your lonesome in your parents' basement.

Radon. Carbon Monoxide. Mr. Muggles.

Nope, you're fucked.

Re:social networking considered harmful (4, Funny)

somersault (912633) | about 6 years ago | (#24895761)

It's not a basement, it's a command centre

Re:social networking considered harmful (0)

R2.0 (532027) | about 6 years ago | (#24896057)

"It's not a basement, it's a command centre"

I believe the word you are looking for is "bunker". Or, in England, "bunkre".

Re:social networking considered harmful (1)

somersault (912633) | about 6 years ago | (#24896085)

Actually it's bunker in the UK as well o_0 I was actually quoting from Die Hard 4.0, or in the US, "Live Free or Die Hard"

Re:social networking considered harmful (0)

Anonymous Coward | about 6 years ago | (#24896213)

Woosh.

Re:social networking considered harmful (1)

somersault (912633) | about 6 years ago | (#24899213)

You're damn right "whoosh". Either it's a random quote for something I don't know, or it's just an unfunny (to me) reference to spelling differences. It's you guys that fuck with the spellings, not us ;)

Re:social networking considered harmful (1)

Surt (22457) | about 6 years ago | (#24896809)

I believe the british version is 'bukkake' not 'bunkre'.

Re:social networking considered harmful (1)

Jeff DeMaagd (2015) | about 6 years ago | (#24898111)

If it uses the British spelling, it must be good!

Re:social networking considered harmful (1)

techno-vampire (666512) | about 6 years ago | (#24896713)

The only safe place in the world is safe and sound all by your lonesome in your parents' basement.

My parent's house doesn't have a basement you insensitive clod! I'm stuck in the den!

Re:social networking considered harmful (1)

elgatozorbas (783538) | about 6 years ago | (#24896759)

Why the f*ck is this rated insightful? "Funny" doesn't render karma, but "underrated" also exists. Smothering your personal info all over the place might be a bad idea, but doing so in a bar is infinitely less dangerous than doing it on the www where every future employer/mother in law can find you back years later.

Re:social networking considered harmful (1)

suck_burners_rice (1258684) | about 6 years ago | (#24897027)

Smothering your personal info all over the place might be a bad idea, but doing so in a bar is infinitely less dangerous than doing it on the www where every future employer/mother in law can find you back years later.

Which is why I'm gonna write a book, for which I haven't made up the title yet, about an underground gang of 1337z h4x0rz who, for a high fee, of course, hack into all kinds of social networking sites and whatnot and fix peoples' information. So that girl who had some revealing pictures taken can have them mysteriously disappear. That dude who wrote a bunch of anti-country stuff and later grew up and decided to run for office can have that text changed to something a bit more appropriate, etc.

Re:social networking considered harmful (1)

kramulous (977841) | about 6 years ago | (#24897437)

Sick! Tell me there are black choppers to get them into secure data centres ... located in exotic countries on mountain tops?

Re:social networking considered harmful (1)

registrar (1220876) | about 6 years ago | (#24897421)

I don't think there's any doubt that facebook is a malicious app. Maybe the world is too...

BFD(?) (5, Insightful)

CWRUisTakingMyMoney (939585) | about 6 years ago | (#24895311)

So, some researchers used Facebook as a singularly inefficient method of DDoSing someone. Anyone who wants a site taken down will use a botnet or something more reliable (and high-volume) than counting on Facebook users to add the latest greatest app of the day. Am I missing something, or is this really not nearly serious enough even to make /.?

Re:BFD(?) (2, Insightful)

ohxten (1248800) | about 6 years ago | (#24895471)

That's why it's here. We don't know. It's up to us geeks to philosophize.

Re:BFD(?) (1)

Hal_Porter (817932) | about 6 years ago | (#24899033)

That's why it's here. We don't know. It's up to us geeks to philosophize.

We're like dust in the wind, dude.

Dust.
Wind.
Dude.

Re:BFD(?) (4, Insightful)

BitHive (578094) | about 6 years ago | (#24895477)

No, this is absolutely retarded. This is like saying I've uploaded malicious content to slashdot by telling everyone to click here for free porn [slashdot.org] where "here" is my victim's website.

MOD PARENT UP (1)

Captain Splendid (673276) | about 6 years ago | (#24895517)

Parent is correct. This is a PEBKAC problem if I ever saw one. Man, people really will freak out over every little thing, won't they?

Re:BFD(?) (4, Funny)

aftk2 (556992) | about 6 years ago | (#24895557)

I clicked it. Who else did? Don't be shy!

Re:BFD(?) (1)

frank_adrian314159 (469671) | about 6 years ago | (#24895767)

Effin' ripoff! There weren't no porn thar!

Re:BFD(?) (1)

PsychoElf (571371) | about 6 years ago | (#24896081)

Just depends how you look at it! Be creative!

Re:BFD(?) (1)

NotQuiteReal (608241) | about 6 years ago | (#24896723)

Yeah, first off, the link showed me an ad for the new "Choke" movie. That made me think of choking chickens.

Then, as luck would have it, I get an ad for more flexible screwing [doubleclick.net] when I hit the reply button. Well, what more do you need to get you going?

[x] post anonymously

Re:BFD(?) (1)

DMUTPeregrine (612791) | about 6 years ago | (#24896727)

http://www.foobies.com/ [foobies.com] has plenty of free porn. Thank Drew Curtis.
Oh, wait, supposed to ddos a victim. Nevermind then.

Re:BFD(?) (0)

Anonymous Coward | about 6 years ago | (#24896575)

Not me.

I'm pretty sure the kind of porn hosted on slashdot is the kind I'd wish I could unsee later.

Re:BFD(?) (1)

coren2000 (788204) | about 6 years ago | (#24898275)

I didn't. I dont need the help.

Re:BFD(?) (1)

malinha (1273344) | about 6 years ago | (#24895597)

ya, just post the link on slashdot and the users will do the rest, no botnet needed.

Re:BFD(?) (0)

Anonymous Coward | about 6 years ago | (#24895749)

Okay so how do you get to the porn? I couldn't find it...

Re:BFD(?) (5, Funny)

Clandestine_Blaze (1019274) | about 6 years ago | (#24895961)

You should have linked to Idle, now that's malicious.

Re:BFD(?) (1)

slimjim8094 (941042) | about 6 years ago | (#24897863)

ERROR
The requested URL could not be retrieved

While trying to retrieve the URL: http://it.slashdot.org/%23 [slashdot.org]

The following error was encountered:

        * Read Error

The system returned:

        (104) Connection reset by peer

An error condition occurred while reading data from the network. Please retry your request.

Damn you!

Re:BFD(?) (0)

Anonymous Coward | about 6 years ago | (#24900107)

So, some researchers used Facebook as a singularly inefficient method of DDoSing someone.

The first thought that popped into my mind when I read the summary was, "Rube Goldberg hotlinking."

Nothing new... (2, Informative)

Tmack (593755) | about 6 years ago | (#24895549)

I see .swf attack scripts all the time that do the same thing: user clicks to view a .swf, the swf sends a request per second to some other page. Get enough people to click on your "new Flash game" or "sexxy webcam" and you get a DOS (albeit usually weak).

tm

Re:BFD(?) (2, Interesting)

caffeinemessiah (918089) | about 6 years ago | (#24895575)

So, some researchers used Facebook as a singularly inefficient method of DDoSing someone.

Agreed. Especially since a user trying to interact with ANYTHING dynamic on a profile page has to CLICK it to enable it. Embed your own "malicious" DDOS flash code into an "application" with some cutesy front end, and have it pull a large NASA image and push it as a form upload to the target site. Basically, once the user clicks your flash/activeX/blaahXY content, you have an array of flash/activeX/blaahXY exploits to exploit.

Unless of course they figured out a way of activating the dynamic content without the user clicking (this was a hack submitted a while ago as a XSS exploit, local news went nuts about it). Now THAT would be a nice hack, as it would allow the design of apps to counter-stalk (i.e. see who's been viewing your profile).

Re:BFD(?) (2, Insightful)

hdon (1104251) | about 6 years ago | (#24895655)

I agree 99% with CWRUisTakingMyMoney.

I have not read the article, but I'd like to point out the possibility that because social networking is a big buzz-word, the experiment is being misrepresented.

While I don't believe an experiment really proves anything to anyone with a mind of their own, I think we're all way past due to begin thinking about better sandboxing (more precise, efficient, and platform-agnostic) methods for running all the untrustworthy code we do. We ought to have control over how resources of all kinds are allowed to anything we run. It should be trivial to tell your browser what the default outgoing transmission rate for a Facebook app ought to be (but this should not be implemented in the browser -- it should be available for non-web-based software as well) as well as any other resource you can think of.

Re:BFD(?) (1)

shawn(at)fsu (447153) | about 6 years ago | (#24896045)

You could explain away the praises too.
I'm sure there are plenty of people who know its a hack and gave it praise just to get others to add the app to their page.

This is a nothing to see here story.

It's the delivery method, not the payload (2, Insightful)

Kelson (129150) | about 6 years ago | (#24896201)

Using the app to DDOS someone is simply the payload. The point is that:

(a) A trojan was introduced into the ecosystem.
(b) Users installed it.

It's not clear whether the users simply saw it in the directory and installed it, or whether they looked at their friends' apps and said, "Hey, that looks interesting." (Or whether users were promoting it to their friends, like a chain letter.)

The lesson is that social network apps need to be treated with the same caution as apps that you would install on your computer.

Re:BFD(?) (1)

Firehed (942385) | about 6 years ago | (#24896581)

There are plenty of apps that actually see some heavy use. As in 50k+ installations, not 500+. Just hotlinking an image could do some pretty heavy damage to most sites, never mind a massive POST request.

social apps and gadgets (2, Insightful)

gbh1935 (987266) | about 6 years ago | (#24895329)

There are inherent security risks any time you allow code to be executed on a mammoth scale without some serious security inspection and review.

Yeah, what a fantastic "application." (0)

Anonymous Coward | about 6 years ago | (#24895363)

In your FACE, Google!

more direct malicious app (5, Funny)

Narnie (1349029) | about 6 years ago | (#24895627)

Why not build a more aggressive app and call it something like "Facebook Botnet Webapp Client 2.04.2" and then reward people minion points for delivered spam, DDoS attack packets, and friend referrals. No need to hide it as a beneficial application, people want to belong to something--why else are they on facebook?

Re:more direct malicious app (0)

Anonymous Coward | about 6 years ago | (#24896179)

Why not build a more aggressive app and call it something like "Facebook Botnet Webapp Client 2.04.2" and then reward people minion points for delivered spam, DDoS attack packets, and friend referrals. No need to hide it as a beneficial application, people want to belong to something--why else are they on facebook?

  -why else do they post on forums?

Re:more direct malicious app (0)

Anonymous Coward | about 6 years ago | (#24898965)

"homo homini lupus"

you are joking but I think we would be somewhat surprised of the amount of people who would participate in such a ring. I mean willingly participate.

Re:more direct malicious app (1)

Narnie (1349029) | about 6 years ago | (#24899507)

It started out as a joke, but by the time I finished writing the post, it sounded pretty awesome and awesome should be written in LOLCODE [lolcode.com] .

Oh that's nothing (4, Funny)

joe_n_bloe (244407) | about 6 years ago | (#24895679)

I used to serve a 2mb file of zeros at favicon.ico. I even used a bogus MIME type to give MSIE a fighting chance. Of course MSIE ignored the MIME type and charged ahead anyway.

Re:Oh that's nothing (1)

Creepy Crawler (680178) | about 6 years ago | (#24896023)

You gave me a great idea.

Buffer overflow of favicon.ico

muhahahaha

Re:Oh that's nothing (1)

Firehed (942385) | about 6 years ago | (#24896617)

So... you just waste your own bandwidth? Nice.

Re:Oh that's nothing (1)

Culture20 (968837) | about 6 years ago | (#24896637)

probably compressed down to a kilobyte or two.

Isn't there in the EULA/TOS something (1)

davidsyes (765062) | about 6 years ago | (#24895723)

Isn't there in the EULA/TOS something that makes this verbotten? Unless he's/they've signed an NDA giving fb the time/opportunity to expunge the app, clean up the mess, and warn users, he's just helping the bad guys know fb is inattentive. Not as if the end users all have tools to ferret out the malicious apps.

If he's brought to court, then maybe the terms of settlement could be he acts as fb's and others' human sacrificial firewall.

fb could even retaliate by making a profile of the listed developer, making a negative bio/pic of him, and cause him grief. Not that i'd suggest it, but you never know...

Have to (1)

DigitalJer (1132981) | about 6 years ago | (#24895775)

...all your Facebook are belong to us.

Who's surprised? (1)

Whatanut (203397) | about 6 years ago | (#24896091)

So who was surprised by this? I had the same ideas awhile back when I first joined and noticed my ability to create my own apps. I considered creating one purely for the purpose of collecting user information. Just for the hell of it. But more of a way of seeing just how much data I could gather. I have yet to see an app on facebook that didn't require that you provide access to EVERYTHING. If you check (or uncheck.. don't remember how that works) any of the privacy options you get the message "But we neeeeeeed that!!!"

And it's for that reason I generally don't use any apps on there...

Doesn't work. (3, Funny)

Puffy Director Pants (1242492) | about 6 years ago | (#24896473)

Facebook is still operational.

Mod the main article down. It is redundant. (4, Funny)

CFD339 (795926) | about 6 years ago | (#24896591)

They built a malicious face book application. Big deal. They're all malicious and annoying. The whole damn site is a marketing work to pull personal data about interconnected relationships together for marketing.

"Malicious Facebook App" is like "Table Mesa" (a place in Arizona). Its redundant Mesa means Table in Spanish.

Explanation? (1)

adamziegler (1082701) | about 6 years ago | (#24897325)

I guess I don't get it... You click on a link for a picture, and it sends a request for a picture? Is this like me posting a link to picture here on /. that resides on a "victims" server?

Malicious? Faugh. (1)

ScrewMaster (602015) | about 6 years ago | (#24897841)

Personally, I consider Facebook to be a malicious app.

Channelling the masses for fun and profit (1)

PaleCommander (1358747) | about 6 years ago | (#24898303)

This seems, when all is said and done, to simply be taking advantage of the power of large numbers of people on the Internet. Facebook is merely a userbase that happens to have a toolset attached. Admittedly, the userbase is somewhat more suggestible than many others (see the various superhero/pirate/ninja viral games that can be seen cavorting across people's profiles); however, this type of coordination has been done before, albeit usually with participants' knowledge.

Hopefully, we can see this amount of effort on the part of researchers directed toward positive applications. Existing examples include the Search for Extraterrestrial Intelligence (SETI), protein folding, and the Mechanical Turk project.

This isn't so much a security issue as an underexploited resource. That said, the API hardly needs to leave its doors open to this sort of thing.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>