Researchers Build Malicious Facebook App

narramissic writes "Back in January, a team of researchers uploaded a malicious program to Facebook to demonstrate the possible dangers of social networking applications. Called 'Photo of the Day,' the app serves up a new National Geographic photo daily, but every time it's clicked it sends a 600 K-byte HTTP request for images to a victim's Web site. Photo of the Day is still listed on Facebook, with its authorship attributed to Andreas Makridakis, one of the researchers. The application has 514 active users now, with several comments praising it. The study was published by the Foundation for Research and Technology in Heraklion, Greece, and the Institute for Infocomm Research in Singapore."

This one's for Bugmenot!

[Legion_SB (1300215)]

Attack!!

Re:

[solitas (916005)]

Yeah, good! If they call it "bugmenot" then facebook users won't be able to tell/warn OTHER facebook users about it.

http://tech.slashdot.org/article.pl?sid=08/09/05/1741207 [slashdot.org]

print this page

[A little Frenchie (715758)]

http://www.itworld.com/print/54718 [itworld.com]

Researchers!

[goose-incarnated (1145029)]

Is there anything we cannot do?

"Here, grab your ankles, this won't hurt a little bit"

(That is a 100% truthful statement)

Re:

[goose-incarnated (1145029)]

Your points have been duly noted.

*pulls keyboard closer*

However, I feel, very strongly, that when one is willing to acknowledge "The researchers did valuable work", then all those points fall away.

As far as most research work goes (and it makes no difference whether you're in Marine Biology or Description Logics), all we do is publish what we find. Our most used sentence is "Nobody told me I had to find a solution as well". Most of research is simply discovering new problems for others to solve.

(p

Re:Researchers!

[fictionpuss (1136565)]

Is this sarcasm which is going over my head?

there are massive numbers of full-time researchers and few full-time bad guys.

Do you have any figures/research for this or is it opinion?

The "researchers" are helping, providing inspiration, and guidance to would-be part-time bad guys.

The bad guys who will continue to go on and sell their exploits on international markets? So, the monetary motivation is nothing compared to the motivation generated by researchers?

Exploits exist. Bad guys have a motivation to find them and keep them secret. Without researchers in the field, the good guys would never be able to fix the exploits.

What about coming up with a better solution before panning the current situation which seems to work quite well? Do you work in the security field at all?

Also, Slashdot supports paragraphs.

Re:

[mysidia (191772)]

I'll concede there are financial motives for crackers to attempt to compromise systems.

But many, perhaps most crackers who would have that motive alone, are not successful. The financial motive is outweighed unless there is a means or method; unless they think they can succeed with a certain attack. If they find howtos/recipe books online or detailed publications of weaknesses that have not been addressed they are likely to find motive and find significant advantage and success in exploiting that problem

Re:

[bluefoxlucid (723572)]

If they find howtos/recipe books online or detailed publications of weaknesses that have not been addressed they are likely to find motive and find significant advantage and success in exploiting that problem and gaining the financial incentive.

WRONG.

Your secret, unpublished exploits work extremely well because we can't catch them with an IDS. Shit we know about we can see.

It's like if you know there's a cave that leads directly under a military base. You have to dig up from inside the cave to surface, there's no way out into the base; but it does go under the base, and it's down about 6 feet.

Tell the base commander, and he probably won't post guard. It's more advantageous to not worry about it. Run a report about egregious failings in

Re:Researchers!

[fictionpuss (1136565)]

Word is that there are several dozen zero-day Linux kernel exploits on the blackhat market right now. For what it's worth that's anecdotal, but even if that figure is exaggerated, the blackhats are still out powering the whitehats in either number or technical ability.

If they didn't then they wouldn't exist.

I'm not going to be able to respond to you point-by-point because of a rather general lack of coherence, so I'm going to pick and choose:

Companies like Symantec and F-Secure are public. Their staffing and other financial records are available for inspection; lookup their annual reports to see massive spending&staffing in research; there can be no doubts there.

My impression was that the R&D was spent on things like Vista compatibility and defending their own protection programs from being disabled as part of the exploit.

I've never heard of one case of an anti-virus company proactively researching a vulnerability and patching it. There wouldn't seem to be much of a business model to create from that. But if I'm wrong then there should be plenty of evidence - why would they spend the R&D that you mention, and not publicise its positive effects?

Some crackers will be searching for new bugs, the bulk of them do not need to, they'll just wait until a new exploit is eventually published by a researcher, or they they can try to buy it. In either case, the research by a third party is what spreads the 'hack' into use.

At least in the Linux world, vulnerabilities, once published, tend to have fixes out pretty darn quickly. This is not a winning strategy for a blackhat.

Also - a researcher who sells to blackhats, is a blackhat by definition.

I don't think it's all that difficult to make useful but dangerous research information available to the security concerned while making it hard for all except the truly dedicated crackers.

You seem to be describing exactly what happened with the recent DNS server vulnerability?

A $1 or $2 nominal fee for access would generally reduce digestion by the general public, and teenagers without credit card access

Blackhats are not terribly concerned about copyright infringement. If they didn't hack the server silently to get past the $1 or $2 fee, then they'd use someone elses credit card info.

Once one copy is made, then the information is available on the blackhat market anyway, except the whitehats have a harder time getting to it.

Both fortunately and unfortunately, the unhampered public posting means anyone who searchers for the right keywords will see it..

Blackhats aren't idly spending their days typing "latest exploit info" into Google. They have their own information market spaces, and they are skilled and efficient at what they do.

Everything you describe which makes it harder for whitehats is to the benefit of blackhats.

social networking considered harmful

[suck_burners_rice (1258684)]

First of all, let's get something straight. Social networking is a BAD idea. Especially the sort of social networking that takes place at bars, clubs, parties, etc. The only safe place in the world is safe and sound all by your lonesome in your parents' basement.

Re:

[Bieeanda (961632)]

Oh good, I'm already there.

Can I order hot pockets over the Internet?

Re:

[Brynath (522699)]

no but you can order a "Bucket o'food [gizmodo.com]" for $75 that will give you 275 "meals"

Re:social networking considered harmful

[goose-incarnated (1145029)]

The only safe place in the world is safe and sound all by your lonesome in your parents' basement.

Here in SA I've got 14cm hunter spiders in my parents basement! Seriously. These things have garden snakes for breakfast, so don't fucking tell me how safe my parents basement is - I only go in there with a team of sherpas and a pack of wolves.

On the plus side, we've very few snakes left.

Re:

[sphealey (2855)]

> On the plus side, we've very few snakes left.

Unfortunately, we depend on the snakes to keep the rats under control.

sPh

Re:

[by Anonymous Coward]

Not my parents' basement... It is pitch black. You are likely to be eaten by a grue.

Re:social networking considered harmful

[Surt (22457)]

There's a guy a few posts up with some hunter spiders that will take care of that grue for you.

Re:social networking considered harmful

[somersault (912633)]

It's not a basement, it's a command centre

Re:

[somersault (912633)]

Actually it's bunker in the UK as well o_0 I was actually quoting from Die Hard 4.0, or in the US, "Live Free or Die Hard"

Re:

[Surt (22457)]

I believe the british version is 'bukkake' not 'bunkre'.

Re:

[techno-vampire (666512)]

The only safe place in the world is safe and sound all by your lonesome in your parents' basement.

My parent's house doesn't have a basement you insensitive clod! I'm stuck in the den!

Re:

[elgatozorbas (783538)]

Why the f*ck is this rated insightful? "Funny" doesn't render karma, but "underrated" also exists. Smothering your personal info all over the place might be a bad idea, but doing so in a bar is infinitely less dangerous than doing it on the www where every future employer/mother in law can find you back years later.

Re:

[suck_burners_rice (1258684)]

Smothering your personal info all over the place might be a bad idea, but doing so in a bar is infinitely less dangerous than doing it on the www where every future employer/mother in law can find you back years later.

Which is why I'm gonna write a book, for which I haven't made up the title yet, about an underground gang of 1337z h4x0rz who, for a high fee, of course, hack into all kinds of social networking sites and whatnot and fix peoples' information. So that girl who had some revealing pictures take

Re:

[kramulous (977841)]

Sick! Tell me there are black choppers to get them into secure data centres ... located in exotic countries on mountain tops?

BFD(?)

[CWRUisTakingMyMoney (939585)]

So, some researchers used Facebook as a singularly inefficient method of DDoSing someone. Anyone who wants a site taken down will use a botnet or something more reliable (and high-volume) than counting on Facebook users to add the latest greatest app of the day. Am I missing something, or is this really not nearly serious enough even to make /.?

Re:

[ohxten (1248800)]

That's why it's here. We don't know. It's up to us geeks to philosophize.

Re:BFD(?)

[BitHive (578094)]

No, this is absolutely retarded. This is like saying I've uploaded malicious content to slashdot by telling everyone to click here for free porn [slashdot.org] where "here" is my victim's website.

MOD PARENT UP

[Captain Splendid (673276)]

Parent is correct. This is a PEBKAC problem if I ever saw one. Man, people really will freak out over every little thing, won't they?

Re:BFD(?)

[aftk2 (556992)]

I clicked it. Who else did? Don't be shy!

Re:

[frank_adrian314159 (469671)]

Effin' ripoff! There weren't no porn thar!

Re:

[DMUTPeregrine (612791)]

http://www.foobies.com/ [foobies.com] has plenty of free porn. Thank Drew Curtis.
Oh, wait, supposed to ddos a victim. Nevermind then.

Re:

[NotQuiteReal (608241)]

Yeah, first off, the link showed me an ad for the new "Choke" movie. That made me think of choking chickens.

Then, as luck would have it, I get an ad for more flexible screwing [doubleclick.net] when I hit the reply button. Well, what more do you need to get you going?

[x] post anonymously

Re:BFD(?)

[Clandestine_Blaze (1019274)]

You should have linked to Idle, now that's malicious.

Nothing new...

[Tmack (593755)]

I see .swf attack scripts all the time that do the same thing: user clicks to view a .swf, the swf sends a request per second to some other page. Get enough people to click on your "new Flash game" or "sexxy webcam" and you get a DOS (albeit usually weak).

tm

Re:

[caffeinemessiah (918089)]

So, some researchers used Facebook as a singularly inefficient method of DDoSing someone.

Agreed. Especially since a user trying to interact with ANYTHING dynamic on a profile page has to CLICK it to enable it. Embed your own "malicious" DDOS flash code into an "application" with some cutesy front end, and have it pull a large NASA image and push it as a form upload to the target site. Basically, once the user clicks your flash/activeX/blaahXY content, you have an array of flash/activeX/blaahXY exploits to

Re:

[hdon (1104251)]

I agree 99% with CWRUisTakingMyMoney.

I have not read the article, but I'd like to point out the possibility that because social networking is a big buzz-word, the experiment is being misrepresented.

While I don't believe an experiment really proves anything to anyone with a mind of their own, I think we're all way past due to begin thinking about better sandboxing (more precise, efficient, and platform-agnostic) methods for running all the untrustworthy code we do. We ought to have control over how resources

Re:

[shawn(at)fsu (447153)]

You could explain away the praises too.
I'm sure there are plenty of people who know its a hack and gave it praise just to get others to add the app to their page.

This is a nothing to see here story.

It's the delivery method, not the payload

[Kelson (129150)]

Using the app to DDOS someone is simply the payload. The point is that:

(a) A trojan was introduced into the ecosystem.
(b) Users installed it.

It's not clear whether the users simply saw it in the directory and installed it, or whether they looked at their friends' apps and said, "Hey, that looks interesting." (Or whether users were promoting it to their friends, like a chain letter.)

The lesson is that social network apps need to be treated with the same caution as apps that you would install on your comput

Re:

[Firehed (942385)]

There are plenty of apps that actually see some heavy use. As in 50k+ installations, not 500+. Just hotlinking an image could do some pretty heavy damage to most sites, never mind a massive POST request.

social apps and gadgets

[gbh1935 (987266)]

There are inherent security risks any time you allow code to be executed on a mammoth scale without some serious security inspection and review.

more direct malicious app

[Narnie (1349029)]

Why not build a more aggressive app and call it something like "Facebook Botnet Webapp Client 2.04.2" and then reward people minion points for delivered spam, DDoS attack packets, and friend referrals. No need to hide it as a beneficial application, people want to belong to something--why else are they on facebook?

Oh that's nothing

[joe_n_bloe (244407)]

I used to serve a 2mb file of zeros at favicon.ico. I even used a bogus MIME type to give MSIE a fighting chance. Of course MSIE ignored the MIME type and charged ahead anyway.

Re:

[Creepy Crawler (680178)]

You gave me a great idea.

Buffer overflow of favicon.ico

muhahahaha

Re:

[Firehed (942385)]

So... you just waste your own bandwidth? Nice.

Re:

[Culture20 (968837)]

probably compressed down to a kilobyte or two.

Doesn't work.

[Puffy Director Pants (1242492)]

Facebook is still operational.

Mod the main article down. It is redundant.

[CFD339 (795926)]

They built a malicious face book application. Big deal. They're all malicious and annoying. The whole damn site is a marketing work to pull personal data about interconnected relationships together for marketing.

"Malicious Facebook App" is like "Table Mesa" (a place in Arizona). Its redundant Mesa means Table in Spanish.

Re:I don't think I'm the first to say this but...

[Captain Splendid (673276)]

Facebook applications are a nightmare, in my mind.

Good thing, then, that in reality, they're for the most part fun and useful!

Re:

[mini me (132455)]

The Facebook API had so much potential, but all the junk applications have made it impossible to weed out the bad applications from the good ones ultimately giving all Facebook applications a bad rap.

Re:

[NotBornYesterday (1093817)]

Bah. Other than the 600kb request, how much different is this than a good slashdotting?

Re:

[hangareighteen (31788)]

Mr. Izzard?