MySpace, Facebook ignoring basic principles of security

Social networking websites MySpace and Facebook present a significant security risk to users, largely because their wide-open application programming interfaces (APIs) are a tempting target for malicious hackers.

LAS VEGAS -- Social networks like Facebook and MySpace are perfect models for the three D's of insecurity: insecure by design, insecure by default and insecure in deployment.

According to a pair of security consultants who spoke at the 2008 Black Hat briefings, security is clearly not part of the business model for owners of these wildly popular Web properties.

More from Black Hat 2008

Exclusive photos of Black Hat 2008.

Windows Vista security 'rendered useless' by researchers

Black Hat: Two researchers Thursday will demonstrate how to use Java, ActiveX controls and .NET objects to essentially bypass all the key security safeguards in Windows Vista.

Researchers develop lightweight Cisco IOS rootkit
Black Hat: Building on previous research against IOS, Core Security researchers have theoretically shown the plausibility of an IOS rootkit attack.    

Bluetooth 2.1 is easy to crack Black Hat: A cryptographer for Aladdin Knowledge Systems says Bluetooth version 2.1, designed to be more secure than previous versions, is actually extremely vulnerable to attackers.
Information security professionals should know better than to use these sites blindly, according to Shawn Moyer, founder of consultancy Agura Digital Security, and Nathan Hamiel, senior security consultant for Idea Information Security and founder of the Hexagon Security Group.

Speaking to a Black Hat audience in a rapid-fire, free-wheeling session Thursday, their key message was that when sharing something on a social network, assume it's going to be public.

If you give credit card information to Facebook, which it warns users not to do, you deserve to fail.

The duo demonstrated a series of all-too-easy MySpace attacks, which combine social engineering and technical hacks against an end-user population hungry for peer interaction and imbued with trust.

The attack surface is vast: Moyer and Hamiel say MySpace, FaceBook and other social networking sites offer wide-open APIs. These not only allow unrestricted data exchange with any application, but also permit attackers to tap into user applications and exploit site code that's wide open to cross-site scripting and other attacks.

The presenters said MySpace's integration-friendly platform and user-generated applications represent little more than "amalgamated, XML-ified goop" and present malicious hackers with "convenient, well-documented APIs to craft attacks."

To illustrate their points, Moyer and Hamiel demonstrated how easily they could hijack a user profile. They used comments from a fake user profile to not only log out a user, but log him out every time he tries to come back on, and log out everyone who visits his profile.

Additionally, in a neat bit of social engineering, they created a fake profile for popular security expert Marcus Ranum (with his blessing). In short order, "Marcus" was contacted by the CSO of a security vendor, a Fortune 100 CSO, an information security magazine editor and many others who never questioned whether this was indeed Marcus Ranum or hesitated to share with someone who they thought they could trust.

Hameil and Moyer did not, of course, exploit this misplaced trust, but concluded that if their faux Marcus had shared with them a malicious website link or application, they would have unknowingly become victims in a heartbeat.

The pair offered sensible but unlikely remedial steps, most requiring responsible action on the part of the social network owners. These include reducing API functionality, building threat models for their sites and their users, working toward better, more secure development, and offering email verification for corporate social networks.

For anyone who doesn't want a false "you" to show up on MySpace or Facebook, they suggest creating one's own personal profile before someone else does.

Dig deeper on Web Application Security

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close