What threats are posed by the popularity of social networking sites like MySpace and YouTube?
The most prominent threats fall into two categories: technical and social. From a technical perspective, these social networking sites are, in reality, Web sites that allow hundreds of thousands of people to post content: on-line profiles, videos, and/or commentary. With all of that information coming in, malicious users are constantly trying to post malware, specifically browser exploits, to these sites. Attackers hope that if they are able to successfully load content containing a browser exploit, they can then take control of browsers by convincing other users to view their content.
Beyond browser exploits, an attacker can post a script on a social networking site that will run inside the browsers of those who view the content. This variation of a cross-site scripting attack is what the so-called Samy worm did in MySpace in October 2005. The author of this worm updated his profile with a script. Whenever any other user read his profile, this script would run in that user's browser, adding the Samy author as a friend in MySpace. The script would then add a copy of itself to this user's profile. When other users read any of the script-infected profiles, they too would be added as a friend to the Samy author and have their profile updated. Within an hour, the Samy author had hundreds of thousands of friends in MySpace.
Because of this major risk, most social networking sites carefully filter out scripts and browser exploits posted within user content. Their filters are not perfect though, and sometimes a unique encoding scheme or obscure scripting trick makes it through, resulting in an attack like the Samy worm. Therefore, you should defend yourself by running an up-to-date browser and an antivirus/antispyware suite. Also, if you are particularly paranoid, you may want to disable scripts in your browser when accessing social networking sites. You could consider adding social networking sites to a different security zone in your browser, like Restricted Sites, where you could then disallow browser scripts.
Related Q&A from Ed Skoudis, Contributor
At Black Hat 2006, researcher Joanna Rutkowska unveiled a piece of machine-based malware called the Blue Pill. But is it a serious threat to your ...continue reading
Wi-Fi on airplanes seems like it will be unavoidable in the future, but what security risks does it pose? In this security threats expert response, ...continue reading
There are some rare forms of malware that antivirus software doesn't pick up on, but there are some good tools to remove all sorts of malware.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.