Third-party applications on social networks could be the next means of attack for cybercriminals and if left unmonitored, security experts fear the applications that users have come to trust could be used to trick them into giving up account credentials or deliver spam and malware.
While attackers can design their own malicious applications using freely available application program interfaces released by social networks, the real concern lies in legitimate third-party applications and the potential coding errors they contain, as well as user generated content that includes shoddy coding. A savvy hacker could find an error and create an attack that could trick thousands of users without their knowledge.
Link-sharing and discussion portal MetaFilter was on a long list of user-driven platforms and websites victimized by SQL injection attacks in 2009. A standard SQL injection attack against a Web application left some MetaFilter pages vulnerable to drive-by SQL injection attacks. The application was coded in the early days of the website and may have been a decade old. The site was brought down and It took about two days to plug the holes in every page and make sure every read of every URL was safe. The site primarily relies on self-policing to ensure much of the quality of its content.
"If you're just looking at Web server logs, there may be nothing overtly recognizable as malicious," said Ryan Barnett, director of application security research at Carlsbad, Calif.-based Breach Security Inc. "The most critical thing is that you have people looking, watching and using their brain."
Many of the social networking attacks that result in compromised accounts and malicious content are due to phishing and malicious links passed through internal messaging systems on sites like Facebook and MySpace. But third-party applications, which are often quickly approved by social networks to enhance user experience, are increasingly a cause for concern. Anyone can write them; even people with little coding experience, Barnett said. So far, attacks have primarily been phishing attempts over the social networks' internal messaging systems.
"Everyone wants cool widgets and features because it's a draw to their site," Barnett said. "The biggest challenge is defending against user-driven attacks; how a legitimate user can poke and prod the system to find a loophole."
Social networks that rely on user generated content typically have proprietary tools to monitor network traffic and scan content for potential issues, but smaller sites often lack the funding and expertise to dedicate resources toward application and content monitoring, said Michael Coates, a security expert and volunteer with the Open Web Application Security Project (OWASP).
Coates, who is the team leader of OWASP's Project AppSensor, is hoping the software development methodologies and framework can help websites detect problems within third-party apps. Coates said software developers using AppSensor can code in intrusion detection and automated response functionality into Web applications. It can help identify and take action against a user or malware seeking potential holes to exploit within an application.
"Many financial and stock trading applications currently use a form of fraud detection; this detection focuses more on the financial side of things including detecting suspicious patterns and movements of money," Coates said. "The difference with AppSensor is that we are taking the detection into the application itself. … The AppSensor methodology of attack detection can be integrated into any application to provide efficient attack detection and prevention."
OWASP is also taking a closer look at ways to scan and recognize potentially malicious coding posted by users on Web forums, user profile pages and other webpages where users can freely post content. Arshan Dabirsiaghi, a secure coding expert and OWASP volunteer, heads the AntiSamy project, which has produced a tool that scans HTML and CSS to ensure users don't supply malicious code in their profile, comments and other areas of a social networking platform.
"It saves developers a ton of time and, frankly, does a job that is too hard to do right if security is not your main focus," Dabirsiaghi said.
While proprietary solutions exist for larger social networks with dollars to invest in security, smaller sites need open source tools, said Breach Security's Barnett. Barnett's Web Application Security Consortium Distributed Open Proxy Honeypot project went live in 2007 and has been monitoring malicious traffic and attack attempts.
The consortium also manages the Web Hacking Incident Database, a collection of hacking attempts identified by the open proxy honeypots. Not surprisingly, automated SQL injection and cross-site scripting (XSS) attacks are the biggest offenders listed in the database. The attacks enable cybercriminals to find a Web application hole and alter the code using it to either gain access to a website or turn it into an attack tool.
In an example of an application that lends itself to content spoofing, experts have pointed to the attack last year aimed at Wired magazine's website. A teenager used a poorly designed public image viewing utility hosted by Wired to upload a phony report that Apple CEO Steve Jobs had suffered a heart attack. Security experts said the tool's coding was fine, but it was designed in a way that enabled abuse.
"For a lot of these applications, the developer doesn't think about coding in security features or design functionality that can cause future problems. It's an add-in after the fact," Barnett said.
Editor's Note: A correction was made to accurately describe the SQL injection attack against MetaFilter in 2009.