MySpace, Facebook ignoring basic principles of security

By Neil Roiter, Senior Technology Editor, Information Security magazine 08 Aug 2008 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

According to a pair of security consultants who spoke at the 2008 Black Hat briefings, security is clearly not part of the business model for owners of these wildly popular Web properties.

More from Black Hat 2008 Exclusive photos of Black Hat 2008. Windows Vista security 'rendered useless' by researchers Black Hat: Two researchers Thursday will demonstrate how to use Java, ActiveX controls and .NET objects to essentially bypass all the key security safeguards in Windows Vista. Researchers develop lightweight Cisco IOS rootkit Black Hat: Building on previous research against IOS, Core Security researchers have theoretically shown the plausibility of an IOS rootkit attack.     Bluetooth 2.1 is easy to crack Black Hat: A cryptographer for Aladdin Knowledge Systems says Bluetooth version 2.1, designed to be more secure than previous versions, is actually extremely vulnerable to attackers.

Information security professionals should know better than to use these sites blindly, according to Shawn Moyer, founder of consultancy Agura Digital Security, and Nathan Hamiel, senior security consultant for Idea Information Security and founder of the Hexagon Security Group.

Speaking to a Black Hat audience in a rapid-fire, free-wheeling session Thursday, their key message was that when sharing something on a social network, assume it's going to be public.

If you give credit card information to Facebook, which it warns users not to do, you deserve to fail.

The duo demonstrated a series of all-too-easy MySpace attacks, which combine social engineering and technical hacks against an end-user population hungry for peer interaction and imbued with trust.

The attack surface is vast: Moyer and Hamiel say MySpace, FaceBook and other social networking sites offer wide-open APIs. These not only allow unrestricted data exchange with any application, but also permit attackers to tap into user applications and exploit site code that's wide open to cross-site scripting and other attacks.

The presenters said MySpace's integration-friendly platform and user-generated applications represent little more than "amalgamated, XML-ified goop" and present malicious hackers with "convenient, well-documented APIs to craft attacks."

To illustrate their points, Moyer and Hamiel demonstrated how easily they could hijack a user profile. They used comments from a fake user profile to not only log out a user, but log him out every time he tries to come back on, and log out everyone who visits his profile.

Additionally, in a neat bit of social engineering, they created a fake profile for popular security expert Marcus Ranum (with his blessing). In short order, "Marcus" was contacted by the CSO of a security vendor, a Fortune 100 CSO, an information security magazine editor and many others who never questioned whether this was indeed Marcus Ranum or hesitated to share with someone who they thought they could trust.

Hameil and Moyer did not, of course, exploit this misplaced trust, but concluded that if their faux Marcus had shared with them a malicious website link or application, they would have unknowingly become victims in a heartbeat.

The pair offered sensible but unlikely remedial steps, most requiring responsible action on the part of the social network owners. These include reducing API functionality, building threat models for their sites and their users, working toward better, more secure development, and offering email verification for corporate social networks.

For anyone who doesn't want a false "you" to show up on MySpace or Facebook, they suggest creating one's own personal profile before someone else does.

Tags: Web Application Security,  Web Services Security and SOA Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Web Application Security Preventing SQL injection attacks: A network admin's perspective Cisco acquires SaaS security vendor ScanSafe Web application firewall use goes beyond compliance, company finds Gumblar Trojan drive-by exploits spike following Adobe update Some Facebook applications lead to Russian attack sites Barracuda acquires Purewire expanding Web security reach An enterprise strategy for Web application security threats Scanning with N-Stalker offers basic Web application security assessment Attackers target PDF, DirectShow flaws with malicious banner ads New Bahama botnet evades search engines, fuels click fraud Web Services Security and SOA Security Security testing firm uncovers XML vulnerabilities Cryptographers say cloud computing can be secured Information security book excerpts and reviews Will cloud computing and virtualization save the day? Kaminsky: DNS flaw capable of attacks on many fronts Kaminsky on DNS rebinding attacks, hacking techniques Which operating system can best secure an FTP site? IBM's Watchfire halts network research, focuses on Web apps How does identity propagation work? Citrix adds Web security with acquisition

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary anonymous Web surfing  (SearchSecurity.com) buffer overflow  (SearchSecurity.com) cache cramming  (SearchSecurity.com) cookie poisoning  (SearchSecurity.com) dictionary attack  (SearchSecurity.com) distributed denial-of-service attack  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) National Computer Security Center  (SearchSecurity.com) threat modeling  (SearchSecurity.com) trigraph  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary