Q

Are social networking sites an easy target for malicious hackers?

With the rise of social networking giants like MySpace and Facebook, it makes sense that there would also be a rise in malware to attack them.

I recently read about the Orkut XSS worm attacking Google's social network. Are social networking sites such as MySpace and Facebook an easy target for malicious hackers? And, if so, why? Do these issues pose a threat to the enterprise?
Cross-site scripting (XSS) worms are a real threat. They have affected big social networking sites like MySpace, with the Samy worm back in 2005, and Orkut, with the Orkut worm in December 2007.

Social and business networking sites are the ideal vector for such attacks, because they have millions of people

composing Web-based content that millions of other people read. The attack vector works this way: an attacker finds a flaw in a filter on a target website that allows him or her to enter content that contains a malicious browser script. We'll get to the functionality of that script a bit later. The attacker posts the script as part of his or her account profile or other content on the site. When a victim user reads the Web page that includes the attacker's script, their browser fetches the script from the site and runs it. Running inside the victim's browser, the script can do anything on the vulnerable site that the victim can do: delete the victim's data stored on the website; add friends to the victim's account; send messages to the victim's acquaintances; buy really cheesy t-shirts from the site's store; or even update the victim's profile. Then, whenever other users read that victim's pages, they too become infected, spreading the malicious script in a self-replicating fashion.

The vulnerability here is that the target site doesn't properly filter user input to remove scripts. Because of all of the different encoding schemes available for Web content, comprehensive anti-XSS filters can be difficult to maintain.

Such attacks are an issue for the enterprise if employees store information on these types of sites. For example, if several employees of a given company have records on a social networking site that mention their company name, an attacker could construct an XSS worm that hunts for their particular accounts and leaves an embarrassing message associated with the company.

But the consequences could be far worse than simple embarrassment. Some elaborate scripting techniques could force a victim's browser to attack other sites, including intranet websites, when viewing content that includes the malicious script on a social networking site. Think about that -- a user views a friend's MySpace profile, and then his or her browser starts to scan and even exploit an internal ERP server.

To help mitigate these kinds of attacks, users may want to consider using the open-source NoScript plug-in for Firefox. This tool provides users with fine-grained control over when their browsers will run a script from a website, in effect policing scripts and related technologies to minimize the chance that an attacker can make a user's browser do evil. Visit NoScript's website to get more information and download it for free.

More information:

This was first published in April 2008

Dig deeper on Application Attacks (Buffer Overflows, Cross-Site Scripting)

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close