Social networking has made the web a friendlier, more connected but more complex environment. Sites such as Facebook, MySpace, Orkut, LinkedIn and their like have concocted a dangerous cocktail of user-supplied content, open APIs, and web pages heavily loaded with Javascript and embedded media of all descriptions. And it’s an environment that is largely devoid of security standards and practices.

New sites and features appear at a breathtaking pace, so the size and nature of the attack surface changes constantly. However, arguably the weakest part of the social networking environment is well understood and already installed on users’ machines — the browser.

Social networks are subject to all the standard vulnerabilities of the web. Facebook, for example, has suffered a number of XSS exploits¹ ranging from session hijacking to fake login pages for stealing credentials. And not all of the exploits required sophisticated techniques. At one time, it was possible to view other users’ images on Facebook, even those marked as private, simply by guessing the image ID, because Facebook’s software failed to check user permissions.

To this already flaky situation, social networks add some very special qualities of their own. Web 2.0 is all about user-supplied content, so that site operators are never fully in control of what their sites are delivering from moment to moment. Much of the social networking functionality is achieved with huge tranches of client-side Javascript to which users can add their own. And this all takes place within a new and largely unwarranted context of trust.

 

Large target

They are attractive  targets for those with malicious intent. Each site offers a huge user base sharing a common infrastructure. Of course, social network users don’t think of themselves as part of a group so much as individuals, so there is a persistent belief that “no-one would bother attacking me”.

But there is a good reason for them to be attacked. The information that users willingly supply is highly valuable. Security company iDefense tracks down those who attack these sites, to find out what they're after. “It’s client information,” says Rick Howard, the company's director of intelligence. “We’re seeing a lot of user ID and passwords for Facebook and other sites. They’re doing data mining on those credentials. Most people don’t bother with different user names and passwords, so if they can figure out what your username and password are on Facebook, there’s a chance that at least a small percentage of those will be the same for your banking login also.”

Even if you haven't been that stupid, the average user's profile contains information like their pet's name, where they went to school, family details – just the kind of information used for security or 'lost password' questions by banking services.

 

Trust issues

Many of the exploits we see on social networking sites wouldn’t work without the level of trust they engender. People join these networks out of a desire to be part of a community. The sharing of thoughts, experiences, files, images, videos and links reaches a frenetic and promiscuous level. In this context, a simple link to a dodgy website (perhaps with a drive-by downloading exploit) has a far greater chance of succeeding than as email or forum spam.

Orkut, for example, was been hit by worms, probably of Brazilian origin, that attempted to steal banking information by getting users to click on a linked JPEG. And Orkut users were also among the targets of a Twitter-based scam. This embedded URLs in a tweet that enticed users into downloading a fake Flash update or presented a fake Orkut login page, which then harvested Google account details. This very simple exploit could conceivably have been combined with another, mentioned but not detailed by Aviv Raff on his twitpwn.com blog. Using CSRF techniques, innocent Twitter users can be forced into automatic following of a profile simply by clicking on a link, which can be on any site. Raff reports only a partial fix by Twitter. Harvesting followers like this presents social engineering possibilities, but linked with exploit URLs in tweets, the effect could be even more serious.

Malicious links are more effective when wrapped around an appealing image or delivered via a Flash animation. Not all social networking sites have been rigourous in, say, stripping the likes of ONCLICK methods from <img> tags, or eliminating calls to offsite content. Even with some code vetting, an <img> tag involves a GET request with the potential for that to be abused.

Spammers have been known to use Flash files uploaded to photo hosting site ImageShack to trick people into visiting dubious sites. The spammers upload a Flash file that contains automatic redirection to another URl — a ‘feature’ of Flash. Then they send out spam emails containing the URL of the Flash file. Because the URL points to ImageShack, it may well bypass many anti-spam filters — and any natural suspicion on the part of recipients.

We’ve also seen social networking exploited as a way of spreading malware. The worms dubbed Koobface.a. and Koobface.b by Kaspersky attacked MySpace and Facebook respectively. When a compromised user connected to the social networking sites, the infected machine posted messages to friends enticing them to sites where they, too, can become infected. These invitations wouldn’t be nearly so effective without the trust generated by the social network.

 

Bad habits

Social networkers also lack the habit of verification. In a presentation called ‘Satan is on my Friends list: Attacking social networks’², researchers Shawn Moyer and Nathan Hamiel detailed how they had (with permission) impersonated a well-known IT security professional on LinkedIn.

Social networks are full of members who judge their self-worth by the number of ‘friends’ they have. Some even boast of their promiscuity, labelling themselves ‘open networkers’. Moyer and Nathan found plenty of them with a simple Google search. In 12 hours, their fake persona had attracted 42 connections, giving it sufficient credibility to attract connection requests from a member of the person’s family, other professionals and a magazine editor. At no time did anyone question the veracity of the profile.

The potential for conventional social engineering is obvious. Already, social networks offer a rich seam of data for spearphishers. Getting a message from someone you think you know will only make falling for a scam that much more likely.

 

Client-side code

Then we come to what’s happening on the client side. Many websites embed Javascript in their pages but social networks give malicious (or incompetent) users the opportunity to add their own. Site operators may attempt to filter some of this, stripping out Javascript in user-created content, but the most generous thing one can say is that some are more successful than others.

Much of the functionality of social networking depends on client-side Javascript. They make heavy use of technologies such as Ajax and JSON. And there is ever-greater deployment of Rich Internet Application (RIA) frameworks.

“Flex and Flash are just the start of it,” says Scott Nursten, MD of IT infrastructure firm s2s. “Embedding video and audio mean that you are using different components on the client machine – you’re interacting with iTunes, Quicktime, Windows Media Player, Xamp, Mplayer. And every time you add another piece of code that you’re interacting with, you create another potential attack vector.”

 

Third-party content

To make matters worse, both content and functionality are increasingly provided by third parties. And the most prolific examples of this are Facebook applications. In terms of trust, these are a problem because they carry the implied endorsement of the site. How many Facebook users are really aware (warnings notwithstanding) that the apps they install are not supplied by Facebook itself? The truth is, it’s hard to tell who has written them or even, in some cases, where they are hosted.

Years of education by IT departments and anti-virus companies have failed to stop many users clicking on things they shouldn’t. Even those who are savvy enough to treat email attachments with suspicion don’t see anything wrong with installing a Facebook app. They don't think of it as ‘installing software’.

We're likely to see a constant flow of new vulnerabilities simply as the result of poor coding. These apps originate from coders of all levels of professionalism, but very few are likely to have any awareness of, let alone skill in, writing secure software. For example, for a while the Superwall application on Facebook used a simple HTML form on the page to allow you to leave comments on a friend’s profile. The IDs of both you and your friend were held in standard ‘hidden’ <input> elements. Using a tool like Firebug, it was a trivial matter to insert another ID so that the message would appear to come from someone else. This crude hack no longer works, but it shows how a simple lack of attention opens the door to social engineering.

“Most applications have excessive permissions to parse all aspects of your profile over and above the security settings defined by the account holder,” says Simon Morris, Research & Development Director at Pentura. “By implication if these third party applications are badly written they can be exploited to mine personal information. Facebook do have specific policies regarding its API but with so many external variables this is difficult to police.”

 

Malicious apps

Then there are the deliberate vulnerabilities. The first well-known abuse of Facebook apps appeared with the ‘Secret Crush’ worm. Each victim received a message saying that someone out there had a secret crush on them and that, to find out who, all they need do is install the application. When they complied, they found that they first had to pass on the invitation to install to five of their friends, making Secret Crush a ‘social worm’. Once the app was installed, the victim was then prompted to download and install a ‘Crush Calculator’, which was in fact the Zango application. This has been variously described as adware (at the polite end of the spectrum) and spyware.

The ruse quickly achieved one million infections of Facebook users’ profiles. Even those who did not install Zango, but just the Facebook app, had already been compromised. Facebook apps ask if they may have access to your personal data (Secret Crush insisted on it). Most users, feeling that the app wouldn’t ask if it didn’t need it, will agree.

More recently, a proof-of-concept exploit used Javascript embedded in a Facebook Markup Language (FBML) tag to permit cookie hijacking and other undesirable effects.³ This has since been fixed but, just as with conventional malware vectors, fixes always trail exploits.
The attack surface can only get larger with the adoption of Open Social, the set of APIs designed to allow apps to operate across multiple social networking sites. In addition to cross-site functionality, we can, perhaps, expect Open Social to enable cross-site vulnerabilities.

 

Social DoS

Potential victims are not confined to those who install the apps. A group of Greek researchers recently demonstrated a type of DDoS attack using Facebook.⁴ Their FaceBot app promised users an interesting picture each day in their profile. But each time the user’s profile was viewed, the app also downloaded four images from a targeted server. These images were hidden inside tiny iframes. With sufficient take-up of the app, the targeted site would see a massive drain on its bandwidth.

Figure 1: FaceBot floods a target server with image requests (Source: Elias Athanasopoulos)

Even without advertising, the proof of concept app was installed over 1,000 times. DNS lookups showed a wide geographical distribution of requests, which would have made conventional leech protection measures difficult. The researchers found that bandwidth usage occurred in bursts, but that a more sustained attack could have been achieved using Javascript to make continuous requests. And they believe that other potential uses of this technique might include host scanning, malware propagation, and overriding authentication based on cookies, as well as targeted attacks on Facebook members.

 

Request fraud

With all this code and user-supplied content on a page, there is clearly the potential for CSRF attacks. At Black Hat, Moyer & Hamiel pointed out the potential for a CSRF exploit in a profile on one site to force you to install an app or add an attacker as a friend on another site.

They also outlined the possibility of using functions not normally considered as attack vectors — such as a request forgery to the logout function. They hypothesised a situation in which a malicious user makes a comment on someone’s profile and includes the request forgery exploit. The profile owner would be unable to delete the comment because he or she would be logged out each time the profile is viewed. This is because many administration functions are carried out using a page similar or identical to the profile seen by visitors, rather than a separate admin page.

 

Fighting back

Many companies ban the use of social networking sites. The UK leads Europe in this strategy, according to a survey by 3 mobile. Some 35 per cent of firms have official 'social notworking' policies. Yet social networking is fast becoming an integral part not just of our personal life, but business life too.

Identifying individual vulnerabilities is nigh on impossible. The content of any one page changes from hour to hour. New apps appear constantly, and their code changes without notice.

Filtering based on signatures, URLs or reputation engines may not be effective. The embedding of elements like Ajax code, and the hosting of malware in, for example, adverts on otherwise legitimate sites, can evade conventional protections.

Some companies are offering cloud-based solutions. Cloudmark, for example, uses feedback from a community of users. “They don’t necessarily have to recognise bad code,” says Neil Cook, Head of Technology Services, EMEA. “They know bad behaviour or when something doesn’t look right.” This information is fed back to the social network site operators.

Google Web Security is provided as Software as a Service (SaaS) to scan inbound and outbound web traffic using a variety of techniques such as examining the behaviour of code and contextual parameters.

Corporate policies and browser settings that prevent software installation will help. So will advances in browsers to prevent or limit the potential for cross-site exploits. But perhaps the most effective and immediate remedy is yet another education campaign among users to stop them being so trusting. Whether you think that's a good thing is another matter.

 

References

1. Search xssed.com for a list of XSS exploits on Facebook

2. Satan is on my Friends list: Attacking social networks, Moyer & Hamiel, 2008. <https://www.blackhat.com/presentations/bh-usa-08/Moyer_Hamiel/BH_US_08_Moyer_Hamiel_Satan_is_on_my_Friends_List_Whitepaper.pdf>

3. Facebook summarily denies undeniable user-menacing security hole, The Register, 25 Aug 2008.  <http://www.theregister.co.uk/2008/08/25/facebook_security_hole/>

4. Antisocial Networks: Turning a Social Network into a Botnet, Athanasopoulos, Makridakis, Antonatos, Antoniades, Ioannidis, Anagnostakis, Markatos, 2008. <http://www.ics.forth.gr/dcs/Activities/papers/facebot.isc08.pdf>