Researchers Build Malicious Facebook App 116
narramissic writes "Back in January, a team of researchers uploaded a malicious program to Facebook to demonstrate the possible dangers of social networking applications. Called 'Photo of the Day,' the app serves up a new National Geographic photo daily, but every time it's clicked it sends a 600 K-byte HTTP request for images to a victim's Web site. Photo of the Day is still listed on Facebook, with its authorship attributed to Andreas Makridakis, one of the researchers. The application has 514 active users now, with several comments praising it. The study was published by the Foundation for Research and Technology in Heraklion, Greece, and the Institute for Infocomm Research in Singapore."
BFD(?) (Score:5, Insightful)
social apps and gadgets (Score:2, Insightful)
Re:BFD(?) (Score:2, Insightful)
Re:BFD(?) (Score:5, Insightful)
Re:BFD(?) (Score:2, Insightful)
I agree 99% with CWRUisTakingMyMoney.
I have not read the article, but I'd like to point out the possibility that because social networking is a big buzz-word, the experiment is being misrepresented.
While I don't believe an experiment really proves anything to anyone with a mind of their own, I think we're all way past due to begin thinking about better sandboxing (more precise, efficient, and platform-agnostic) methods for running all the untrustworthy code we do. We ought to have control over how resources of all kinds are allowed to anything we run. It should be trivial to tell your browser what the default outgoing transmission rate for a Facebook app ought to be (but this should not be implemented in the browser -- it should be available for non-web-based software as well) as well as any other resource you can think of.
Re:Researchers! (Score:3, Insightful)
*pulls keyboard closer*
However, I feel, very strongly, that when one is willing to acknowledge "The researchers did valuable work", then all those points fall away.
As far as most research work goes (and it makes no difference whether you're in Marine Biology or Description Logics), all we do is publish what we find. Our most used sentence is "Nobody told me I had to find a solution as well". Most of research is simply discovering new problems for others to solve.
(ps, ignore misspellings/errors in this post, Parents came to visit and brought a full bottle of single-malt whiskey, and am pleasantly drunk right now
Re:Researchers! (Score:4, Insightful)
Is this sarcasm which is going over my head?
there are massive numbers of full-time researchers and few full-time bad guys.
Do you have any figures/research for this or is it opinion?
The "researchers" are helping, providing inspiration, and guidance to would-be part-time bad guys.
The bad guys who will continue to go on and sell their exploits on international markets? So, the monetary motivation is nothing compared to the motivation generated by researchers?
Exploits exist. Bad guys have a motivation to find them and keep them secret. Without researchers in the field, the good guys would never be able to fix the exploits.
What about coming up with a better solution before panning the current situation which seems to work quite well? Do you work in the security field at all?
Also, Slashdot supports paragraphs.
It's the delivery method, not the payload (Score:3, Insightful)
Using the app to DDOS someone is simply the payload. The point is that:
(a) A trojan was introduced into the ecosystem.
(b) Users installed it.
It's not clear whether the users simply saw it in the directory and installed it, or whether they looked at their friends' apps and said, "Hey, that looks interesting." (Or whether users were promoting it to their friends, like a chain letter.)
The lesson is that social network apps need to be treated with the same caution as apps that you would install on your computer.