Researchers Build Malicious Facebook App

narramissic writes "Back in January, a team of researchers uploaded a malicious program to Facebook to demonstrate the possible dangers of social networking applications. Called 'Photo of the Day,' the app serves up a new National Geographic photo daily, but every time it's clicked it sends a 600 K-byte HTTP request for images to a victim's Web site. Photo of the Day is still listed on Facebook, with its authorship attributed to Andreas Makridakis, one of the researchers. The application has 514 active users now, with several comments praising it. The study was published by the Foundation for Research and Technology in Heraklion, Greece, and the Institute for Infocomm Research in Singapore."

This one's for Bugmenot!

[Legion_SB]

Attack!!

Re:

[solitas]

Yeah, good! If they call it "bugmenot" then facebook users won't be able to tell/warn OTHER facebook users about it.

http://tech.slashdot.org/article.pl?sid=08/09/05/1741207 [slashdot.org]

Re:

[JackieBrown]

Did you really feel the need to explain the joke?

Both stories are on the front page!

Re:

[Adambomb]

Users read the stories here?

Jebus, i've been way off in my understanding of the place.

print this page

[A little Frenchie]

http://www.itworld.com/print/54718 [itworld.com]

Re:I don't think I'm the first to say this but...

[Captain Splendid]

Facebook applications are a nightmare, in my mind.

Good thing, then, that in reality, they're for the most part fun and useful!

Re:

[mini me]

The Facebook API had so much potential, but all the junk applications have made it impossible to weed out the bad applications from the good ones ultimately giving all Facebook applications a bad rap.

Re:

[NotBornYesterday]

Bah. Other than the 600kb request, how much different is this than a good slashdotting?

Re:

[Anonymous Coward]

Other than that, Mrs. Lincoln, how did you enjoy the play?

Re:

[hangareighteen]

Mr. Izzard?

Researchers!

[goose-incarnated]

Is there anything we cannot do?

"Here, grab your ankles, this won't hurt a little bit"

(That is a 100% truthful statement)

Re:

[mysidia]

Heh. Researchers experiment with anything malicious they want in the name of research, and publish their findings widely for the bad guys to consume.

With the tenuous justification "the bad guys would have surely come up with this already"

I'll accept the bad guys find these things out on their own, eventually too. But there are massive numbers of full-time researchers and few full-time bad guys.

Plus not that many bad guys will think of X attack; at least not until there are news articles or a fad, oth

Re:

[goose-incarnated]

Your points have been duly noted.

*pulls keyboard closer*

However, I feel, very strongly, that when one is willing to acknowledge "The researchers did valuable work", then all those points fall away.

As far as most research work goes (and it makes no difference whether you're in Marine Biology or Description Logics), all we do is publish what we find. Our most used sentence is "Nobody told me I had to find a solution as well". Most of research is simply discovering new problems for others to solve.

(p

Re:

[orangesquid]

"Most of research is simply discovering new problems for others to solve." -- A very important point. In fact, research that uncovers a problem but not a solution is an exciting opportunity for all related researchers in the field, because there is now one more problem to study.

"Nobody told me I had to find a solution as well." Hmm. If you look at research into pure math, it would be an unfortunate situation indeed if you could not publish until you had worked out a complete solution. Consider the age-o

Re:Researchers!

[fictionpuss]

Is this sarcasm which is going over my head?

there are massive numbers of full-time researchers and few full-time bad guys.

Do you have any figures/research for this or is it opinion?

The "researchers" are helping, providing inspiration, and guidance to would-be part-time bad guys.

The bad guys who will continue to go on and sell their exploits on international markets? So, the monetary motivation is nothing compared to the motivation generated by researchers?

Exploits exist. Bad guys have a motivation to find them and keep them secret. Without researchers in the field, the good guys would never be able to fix the exploits.

What about coming up with a better solution before panning the current situation which seems to work quite well? Do you work in the security field at all?

Also, Slashdot supports paragraphs.

Re:

[mysidia]

I'll concede there are financial motives for crackers to attempt to compromise systems.

But many, perhaps most crackers who would have that motive alone, are not successful. The financial motive is outweighed unless there is a means or method; unless they think they can succeed with a certain attack. If they find howtos/recipe books online or detailed publications of weaknesses that have not been addressed they are likely to find motive and find significant advantage and success in exploiting that problem

Re:

[bluefoxlucid]

If they find howtos/recipe books online or detailed publications of weaknesses that have not been addressed they are likely to find motive and find significant advantage and success in exploiting that problem and gaining the financial incentive.

WRONG.

Your secret, unpublished exploits work extremely well because we can't catch them with an IDS. Shit we know about we can see.

It's like if you know there's a cave that leads directly under a military base. You have to dig up from inside the cave to surface, there's no way out into the base; but it does go under the base, and it's down about 6 feet.

Tell the base commander, and he probably won't post guard. It's more advantageous to not worry about it. Run a report about egregious failings in

Re:

[mysidia]

An IDS is a failsafe, last line of defense, and only ever sure to work against a small category of pre-packaged attacks.

Pattern matching cannot detect the exploit of all types of weaknesses.

Not all types of weaknesses have a set string or sequence of bits you can reliably search for and ID an attack.

Generally IDS rules are specific to the most common attack, not the weakness.

The cracker that wants to evade your IDS and knows how to evade an IDS is likely to be successful.

E.g. if there is a buffer overf

Re:

[bluefoxlucid]

E.g. if there is a buffer overflow, it is common for an IDS to look for common shellcode patterns. IDS is unlikely to be able to perform a stateful examination of all the application protocols including fragment assembly and actually detect the overflow condition.

Snort does fragment assembly and stateful examination. OSSIM uses numerous systems for pattern, signature, and behavioral analysis to determine if a system is currently under attack or compromised. This means it will detect an odd network condition it's not familiar with (no attack signatures or patterns) targeting a specific host and say, "Hey this shit might be under attack!" It will see a host launch a known attack or suddenly start making connections all over the place (i.e. a file server making conn

Re:Researchers!

[fictionpuss]

Word is that there are several dozen zero-day Linux kernel exploits on the blackhat market right now. For what it's worth that's anecdotal, but even if that figure is exaggerated, the blackhats are still out powering the whitehats in either number or technical ability.

If they didn't then they wouldn't exist.

I'm not going to be able to respond to you point-by-point because of a rather general lack of coherence, so I'm going to pick and choose:

Companies like Symantec and F-Secure are public. Their staffing and other financial records are available for inspection; lookup their annual reports to see massive spending&staffing in research; there can be no doubts there.

My impression was that the R&D was spent on things like Vista compatibility and defending their own protection programs from being disabled as part of the exploit.

I've never heard of one case of an anti-virus company proactively researching a vulnerability and patching it. There wouldn't seem to be much of a business model to create from that. But if I'm wrong then there should be plenty of evidence - why would they spend the R&D that you mention, and not publicise its positive effects?

Some crackers will be searching for new bugs, the bulk of them do not need to, they'll just wait until a new exploit is eventually published by a researcher, or they they can try to buy it. In either case, the research by a third party is what spreads the 'hack' into use.

At least in the Linux world, vulnerabilities, once published, tend to have fixes out pretty darn quickly. This is not a winning strategy for a blackhat.

Also - a researcher who sells to blackhats, is a blackhat by definition.

I don't think it's all that difficult to make useful but dangerous research information available to the security concerned while making it hard for all except the truly dedicated crackers.

You seem to be describing exactly what happened with the recent DNS server vulnerability?

A $1 or $2 nominal fee for access would generally reduce digestion by the general public, and teenagers without credit card access

Blackhats are not terribly concerned about copyright infringement. If they didn't hack the server silently to get past the $1 or $2 fee, then they'd use someone elses credit card info.

Once one copy is made, then the information is available on the blackhat market anyway, except the whitehats have a harder time getting to it.

Both fortunately and unfortunately, the unhampered public posting means anyone who searchers for the right keywords will see it..

Blackhats aren't idly spending their days typing "latest exploit info" into Google. They have their own information market spaces, and they are skilled and efficient at what they do.

Everything you describe which makes it harder for whitehats is to the benefit of blackhats.

Re:

[mysidia]

Once one copy is made, then the information is available on the blackhat market anyway, except the whitehats have a harder time getting to it.

Responsible researchers should always provide their exploit information and security vulnerability information to the effected vendor directly, either at the time of publication or preferably prior to it.

In other words: availability of patches should be unaffected.

The Linux kernel group should provide a contact for security issues that will be dealt with in wha

Re:

[fictionpuss]

This reads like an LSD-spiked stream of consciousness. What is your actual point?

For example - you're now arguing that Symantec fixing the security flaws it created in its own products is an example of your original proposition that there are more whitehats than blackhats? If you're part of the problem while marketing yourself as part of the solution, then your hat is pretty grey to my eyes.

I also have a problem with your "Experts in the field should do X because of (vague generalisation)" argument style.

Re:

[fictionpuss]

I'm not concerned about other people not updating against exploits - I'm concerned about my updated machine falling victim to a malformed ping packet which no whitehat knows about yet.

If the opinions held by 'mysidia' ever gained more traction, the chances of that exploit being discovered by whitehats would decrease proportionally.

An AC blithely inferring personal experience of "the computer underground", doesn't carry as much weight as you seem to wish it does.

500, not 100

[gr8scot]

Their staffing and other financial records are available for inspection;

As a former customer, I'd have more appreciation for the opportunity to inspect their source code.

lookup their annual reports to see massive spending & staffing in research; there can be no doubts there.

The SEC exists because unsuccessful corporations have been known to lie, and caught at it. Only a fool has "no doubts" about corporate self-reporting.

I base this on the existence of Fortune-100 companies whose reason for existence is to deliver security solutions, and have multi-billion$ security budgets to that effect.

Symantec, is "only" #461 [cnn.com], and (AFAIK) it's the largest corp. whose primary product is computer security. This is not nit-picking; your entire argument is based on scale, and the largest of the companies of the type you're discussing, is barely in the Fortune 5

Whose "tenuous justification"?

[gr8scot]

Heh. Researchers experiment with anything malicious they want in the name of research and publish their findings widely for the bad guys to consume.

Looks like you're a black hat, and you're annoyed that more young people are truly computer literate, and more useful information is available to non-expert but careful users.

With the tenuous justification "the bad guys would have surely come up with this already"

The purpose of research is knowledge. As a researcher, I'm not responsible to provide justification of what somebody else does with knowledge I discover, nor to provide further justification of my discovery of it due to that other person's choice to make criminal use of the knowledge I discovered. The criminal is solely responsible f

Re:

[mysidia]

The purpose of research is knowledge. As a researcher, I'm not responsible to provide justification of what somebody else does with knowledge I discover, nor to provide further justification of my discovery of it due to that other person's choice to make criminal use of the knowledge I discovered. The criminal is solely responsible for the criminal act.

That position is irresponsible in that it entails the researcher simply ignoring the very effects positive and negative that society will have to endure b

THAT is a "tenuous justification"!

[gr8scot]

Consider Abu Ghraib and Guantanamo. The War on Terror (TM) is not a source from which to draw generalizations about society's positions in general, except its attitude toward what it doesn't understand, which is: fear. So your first source, about a student who was arrested, not for sharing research, but for conducting research (whose subject was "Al Qaida") [guardian.co.uk] is interesting, but relative to this dispute it is dismissed an aberration, where an example or summary of how society normally functions is required

Re:

[Hal_Porter]

Oh FCOL, who the fuck moderated this as troll - c'mon - play nicely here - over the last few days it seems that a metric fuckton of non-troll and/or non-flamebait posts have been modded most unfairly. Who the hell is getting modpoints these days?

Mod Parent down

-1 Censored.

Re:

[maxume]

Obviously you have never anally raped goatse guy.

Re:

[goose-incarnated]

And you've obviously never seen some of these research grants. How do you think the goatse guy got that way i the first place?

Re:

[goose-incarnated]

Or "grants grants grants" :-)

social networking considered harmful

[suck_burners_rice]

First of all, let's get something straight. Social networking is a BAD idea. Especially the sort of social networking that takes place at bars, clubs, parties, etc. The only safe place in the world is safe and sound all by your lonesome in your parents' basement.

Re:

[Bieeanda]

Oh good, I'm already there.

Can I order hot pockets over the Internet?

Re:

[Brynath]

no but you can order a "Bucket o'food [gizmodo.com]" for $75 that will give you 275 "meals"

Re:

[Hal_Porter]

I love this comment

Why not just cut the bullshit, mix it all together and label it "Bachelor Chow"?

Re:

[crossmr]

Just log in to Everquest and type /hotpockets

Re:

[Cruciform]

Absolutely.
I just need your credit card info and that handy little PIN on the back.
30 minute delivery guaranteed!

Would you like to order anything else from our Nigerian menu?

Re:social networking considered harmful

[goose-incarnated]

The only safe place in the world is safe and sound all by your lonesome in your parents' basement.

Here in SA I've got 14cm hunter spiders in my parents basement! Seriously. These things have garden snakes for breakfast, so don't fucking tell me how safe my parents basement is - I only go in there with a team of sherpas and a pack of wolves.

On the plus side, we've very few snakes left.

Re:

[sphealey]

> On the plus side, we've very few snakes left.

Unfortunately, we depend on the snakes to keep the rats under control.

sPh

Re:

[goose-incarnated]

The spiders do that as well. Bloody hell, they would get mistaken for tarantulas, only tarantulas are not that aggressive or large.

Welcome to South Africa, have a nice day, oh, and by the way, stay away from anything furry with eight legs and a social problem.

Re:

[TheLink]

So let me get this right, Natalie Portman would be petrified in your parents' basement?

Re:

[MPAB]

On the plus side, we've very few snakes left.

We could let your spiders loose on planes!

Re:

[Anonymous Coward]

Not my parents' basement... It is pitch black. You are likely to be eaten by a grue.

Re:social networking considered harmful

[Surt]

There's a guy a few posts up with some hunter spiders that will take care of that grue for you.

Re:

[ksd1337]

I've got some sharks with lasers on their forehead to take care of those hunter spiders.

Re:

[cyberstealth1024]

I've seen those spiders. The sharks with lasers have got nothing on those spiders. Hope you have a nice insurance policy for the sharks!

Re:

[kramulous]

But ... but .. we've got some dangerous critters as well! Our jellyfish are considered badarse! They don't even need lasers. They're more touchy-feely. Much worse in a basement. One full of sea water that is.

Re:

[MiniMike]

Right. Prepare to have spiders with lasers on their forehead (and nice sharkskin boots on all eight feet).

Re:

[MPAB]

And a beowulf cluster of those!

Re:

[Anonymous Coward]

The only safe place in the world is safe and sound all by your lonesome in your parents' basement.

Radon. Carbon Monoxide. Mr. Muggles.

Nope, you're fucked.

Re:social networking considered harmful

[somersault]

It's not a basement, it's a command centre

Re:

[Jeff DeMaagd]

If it uses the British spelling, it must be good!

Re:

[somersault]

Being British, I have to concur :)

Re:

[somersault]

Actually it's bunker in the UK as well o_0 I was actually quoting from Die Hard 4.0, or in the US, "Live Free or Die Hard"

Re:

[somersault]

You're damn right "whoosh". Either it's a random quote for something I don't know, or it's just an unfunny (to me) reference to spelling differences. It's you guys that fuck with the spellings, not us ;)

Re:

[Surt]

I believe the british version is 'bukkake' not 'bunkre'.

Re:

[techno-vampire]

The only safe place in the world is safe and sound all by your lonesome in your parents' basement.

My parent's house doesn't have a basement you insensitive clod! I'm stuck in the den!

Re:

[elgatozorbas]

Why the f*ck is this rated insightful? "Funny" doesn't render karma, but "underrated" also exists. Smothering your personal info all over the place might be a bad idea, but doing so in a bar is infinitely less dangerous than doing it on the www where every future employer/mother in law can find you back years later.

Re:

[suck_burners_rice]

Smothering your personal info all over the place might be a bad idea, but doing so in a bar is infinitely less dangerous than doing it on the www where every future employer/mother in law can find you back years later.

Which is why I'm gonna write a book, for which I haven't made up the title yet, about an underground gang of 1337z h4x0rz who, for a high fee, of course, hack into all kinds of social networking sites and whatnot and fix peoples' information. So that girl who had some revealing pictures take

Re:

[kramulous]

Sick! Tell me there are black choppers to get them into secure data centres ... located in exotic countries on mountain tops?

Re:

[elgatozorbas]

Nice idea. What's more likely: being a super high-profile dude that agents are sent upon, or not getting a job because your potential employer found pictures of you binge drinking?

Re:

[registrar]

I don't think there's any doubt that facebook is a malicious app. Maybe the world is too...

Re:

[BotnetZombie]

Umm, I'd rather not go there. My parents' basement is sometimes called the Sun's Secret Layer. You don't want to DDOS that!

BFD(?)

[CWRUisTakingMyMoney]

So, some researchers used Facebook as a singularly inefficient method of DDoSing someone. Anyone who wants a site taken down will use a botnet or something more reliable (and high-volume) than counting on Facebook users to add the latest greatest app of the day. Am I missing something, or is this really not nearly serious enough even to make /.?

Re:

[ohxten]

That's why it's here. We don't know. It's up to us geeks to philosophize.

Re:

[Hal_Porter]

That's why it's here. We don't know. It's up to us geeks to philosophize.

We're like dust in the wind, dude.

Dust.
Wind.
Dude.

Re:BFD(?)

[BitHive]

No, this is absolutely retarded. This is like saying I've uploaded malicious content to slashdot by telling everyone to click here for free porn [slashdot.org] where "here" is my victim's website.

MOD PARENT UP

[Captain Splendid]

Parent is correct. This is a PEBKAC problem if I ever saw one. Man, people really will freak out over every little thing, won't they?

Re:BFD(?)

[aftk2]

I clicked it. Who else did? Don't be shy!

Re:

[frank_adrian314159]

Effin' ripoff! There weren't no porn thar!

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[NotQuiteReal]

Yeah, first off, the link showed me an ad for the new "Choke" movie. That made me think of choking chickens.

Then, as luck would have it, I get an ad for more flexible screwing [doubleclick.net] when I hit the reply button. Well, what more do you need to get you going?

[x] post anonymously

Re:

[DMUTPeregrine]

http://www.foobies.com/ [foobies.com] has plenty of free porn. Thank Drew Curtis.
Oh, wait, supposed to ddos a victim. Nevermind then.

Re:

[coren2000]

I didn't. I dont need the help.

Re:

[malinha]

ya, just post the link on slashdot and the users will do the rest, no botnet needed.

Re:BFD(?)

[Clandestine_Blaze]

You should have linked to Idle, now that's malicious.

Re:

[slimjim8094]

ERROR
The requested URL could not be retrieved

While trying to retrieve the URL: http://it.slashdot.org/%23 [slashdot.org]

The following error was encountered:

* Read Error

The system returned:

(104) Connection reset by peer

An error condition occurred while reading data from the network. Please retry your request.

Damn you!

Nothing new...

[Tmack]

I see .swf attack scripts all the time that do the same thing: user clicks to view a .swf, the swf sends a request per second to some other page. Get enough people to click on your "new Flash game" or "sexxy webcam" and you get a DOS (albeit usually weak).

tm

Re:

[caffeinemessiah]

So, some researchers used Facebook as a singularly inefficient method of DDoSing someone.

Agreed. Especially since a user trying to interact with ANYTHING dynamic on a profile page has to CLICK it to enable it. Embed your own "malicious" DDOS flash code into an "application" with some cutesy front end, and have it pull a large NASA image and push it as a form upload to the target site. Basically, once the user clicks your flash/activeX/blaahXY content, you have an array of flash/activeX/blaahXY exploits to

Re:

[hdon]

I agree 99% with CWRUisTakingMyMoney.

I have not read the article, but I'd like to point out the possibility that because social networking is a big buzz-word, the experiment is being misrepresented.

While I don't believe an experiment really proves anything to anyone with a mind of their own, I think we're all way past due to begin thinking about better sandboxing (more precise, efficient, and platform-agnostic) methods for running all the untrustworthy code we do. We ought to have control over how resources

Re:

[shawn(at)fsu]

You could explain away the praises too.
I'm sure there are plenty of people who know its a hack and gave it praise just to get others to add the app to their page.

This is a nothing to see here story.

It's the delivery method, not the payload

[Kelson]

Using the app to DDOS someone is simply the payload. The point is that:

(a) A trojan was introduced into the ecosystem.
(b) Users installed it.

It's not clear whether the users simply saw it in the directory and installed it, or whether they looked at their friends' apps and said, "Hey, that looks interesting." (Or whether users were promoting it to their friends, like a chain letter.)

The lesson is that social network apps need to be treated with the same caution as apps that you would install on your comput

Re:

[Firehed]

There are plenty of apps that actually see some heavy use. As in 50k+ installations, not 500+. Just hotlinking an image could do some pretty heavy damage to most sites, never mind a massive POST request.

social apps and gadgets

[gbh1935]

There are inherent security risks any time you allow code to be executed on a mammoth scale without some serious security inspection and review.

more direct malicious app

[Narnie]

Why not build a more aggressive app and call it something like "Facebook Botnet Webapp Client 2.04.2" and then reward people minion points for delivered spam, DDoS attack packets, and friend referrals. No need to hide it as a beneficial application, people want to belong to something--why else are they on facebook?

Re:

[Narnie]

It started out as a joke, but by the time I finished writing the post, it sounded pretty awesome and awesome should be written in LOLCODE [lolcode.com].

Oh that's nothing

[joe_n_bloe]

I used to serve a 2mb file of zeros at favicon.ico. I even used a bogus MIME type to give MSIE a fighting chance. Of course MSIE ignored the MIME type and charged ahead anyway.

Re:

[Creepy Crawler]

You gave me a great idea.

Buffer overflow of favicon.ico

muhahahaha

Re:

[Firehed]

So... you just waste your own bandwidth? Nice.

Re:

[Culture20]

probably compressed down to a kilobyte or two.

Re:

[Repton]

I used to have an app-killer image. It was basically an empty JPEG with a header that claimed the image was 1,000,000 x 1,000,000 pixels big.

Crashed practically any app you tried to open it with.

Isn't there in the EULA/TOS something

[davidsyes]

Isn't there in the EULA/TOS something that makes this verbotten? Unless he's/they've signed an NDA giving fb the time/opportunity to expunge the app, clean up the mess, and warn users, he's just helping the bad guys know fb is inattentive. Not as if the end users all have tools to ferret out the malicious apps.

If he's brought to court, then maybe the terms of settlement could be he acts as fb's and others' human sacrificial firewall.

fb could even retaliate by making a profile of the listed developer, making

Have to

[__aamisb9940]

...all your Facebook are belong to us.

Who's surprised?

[Whatanut]

So who was surprised by this? I had the same ideas awhile back when I first joined and noticed my ability to create my own apps. I considered creating one purely for the purpose of collecting user information. Just for the hell of it. But more of a way of seeing just how much data I could gather. I have yet to see an app on facebook that didn't require that you provide access to EVERYTHING. If you check (or uncheck.. don't remember how that works) any of the privacy options you get the message "But we

Doesn't work.

[Puffy Director Pants]

Facebook is still operational.

Mod the main article down. It is redundant.

[CFD339]

They built a malicious face book application. Big deal. They're all malicious and annoying. The whole damn site is a marketing work to pull personal data about interconnected relationships together for marketing.

"Malicious Facebook App" is like "Table Mesa" (a place in Arizona). Its redundant Mesa means Table in Spanish.

Explanation?

[adamziegler]

I guess I don't get it... You click on a link for a picture, and it sends a request for a picture? Is this like me posting a link to picture here on /. that resides on a "victims" server?

Malicious? Faugh.

[ScrewMaster]

Personally, I consider Facebook to be a malicious app.

Channelling the masses for fun and profit

[PaleCommander]

This seems, when all is said and done, to simply be taking advantage of the power of large numbers of people on the Internet. Facebook is merely a userbase that happens to have a toolset attached. Admittedly, the userbase is somewhat more suggestible than many others (see the various superhero/pirate/ninja viral games that can be seen cavorting across people's profiles); however, this type of coordination has been done before, albeit usually with participants' knowledge.

Hopefully, we can see this amount of