LAS VEGAS -- Social networks like Facebook and MySpace are perfect models for the three D's of insecurity: insecure...
by design, insecure by default and insecure in deployment.
According to a pair of security consultants who spoke at the 2008 Black Hat briefings, security is clearly not part of the business model for owners of these wildly popular Web properties.
Speaking to a Black Hat audience in a rapid-fire, free-wheeling session Thursday, their key message was that when sharing something on a social network, assume it's going to be public.
If you give credit card information to Facebook, which it warns users not to do, you deserve to fail.
The duo demonstrated a series of all-too-easy MySpace attacks, which combine social engineering and technical hacks against an end-user population hungry for peer interaction and imbued with trust.
The attack surface is vast: Moyer and Hamiel say MySpace, FaceBook and other social networking sites offer wide-open APIs. These not only allow unrestricted data exchange with any application, but also permit attackers to tap into user applications and exploit site code that's wide open to cross-site scripting and other attacks.
The presenters said MySpace's integration-friendly platform and user-generated applications represent little more than "amalgamated, XML-ified goop" and present malicious hackers with "convenient, well-documented APIs to craft attacks."
To illustrate their points, Moyer and Hamiel demonstrated how easily they could hijack a user profile. They used comments from a fake user profile to not only log out a user, but log him out every time he tries to come back on, and log out everyone who visits his profile.
Additionally, in a neat bit of social engineering, they created a fake profile for popular security expert Marcus Ranum (with his blessing). In short order, "Marcus" was contacted by the CSO of a security vendor, a Fortune 100 CSO, an information security magazine editor and many others who never questioned whether this was indeed Marcus Ranum or hesitated to share with someone who they thought they could trust.
Hameil and Moyer did not, of course, exploit this misplaced trust, but concluded that if their faux Marcus had shared with them a malicious website link or application, they would have unknowingly become victims in a heartbeat.
The pair offered sensible but unlikely remedial steps, most requiring responsible action on the part of the social network owners. These include reducing API functionality, building threat models for their sites and their users, working toward better, more secure development, and offering email verification for corporate social networks.
For anyone who doesn't want a false "you" to show up on MySpace or Facebook, they suggest creating one's own personal profile before someone else does.