Technology Review - Published By MIT
Advertisement

Turning Social Networks Against Users

Applications built on social networks may be the ideal way to distribute malicious code.

By Erica Naone

Monday, September 15, 2008

smaller text tool iconmedium text tool iconlarger text tool icon

Ever since Facebook opened its doors to third-party applications a year and a half ago, millions of users have employed miniature applications to play games, share movie and song recommendations, and even "zombie-bite" their friends. But as the popularity of third-party applications has grown, computer-security researchers have also begun worrying about ways that social-networking applications could be misused. The same thing that makes social networking such an effective way to distribute applications--deep access to a user's networks of friends and acquaintances--could perhaps make it an ideal way to distribute malicious code.

Credit: Technology Review

A number of research projects have demonstrated growing unease. At the Information Security Conference in Taiwan this week, researchers from the Foundation for Research and Technology Hellas (FORTH) in Greece will present details of an experiment that involved enlisting Facebook users in a potentially devastating kind of Internet attack. The researchers created an application that displays photographs from National Geographic on a user's profile page. However, invisible to the user, the app also requests large image files from a target server--in this case, a test machine hosted at FORTH. Provided that enough people add the application to their page, the resulting flood of requests can shut down the server or render it inaccessible to legitimate users.

Story continues below


Elias Athanasopoulos, a research assistant at FORTH who is involved in the project, says that the researchers made no effort to promote their application but found that around 1,000 Facebook users installed it within a few days. The resulting attack was not particularly severe, but Athanasopoulos says that it could disrupt a small website, and he suggests that the onslaught could be made more intense with minor adjustments to the application. The attack relies on open access to Facebook. "It's very difficult to provide a platform that will not [allow developers to] interfere in malicious ways with the rest of the Web," he says.

A more detailed analysis covering several different social-networking sites suggests that the potential for mischief may actually run much deeper. Two computer-security consultants--Nathan Hamiel of Hexagon Security Group and Shawn Moyer of Agura Digital Security--recently built examples of malicious applications on top of OpenSocial, an open application platform used by MySpace, hi5, Orkut, and several other social networks. One of their demo applications, called DoSer, logs out users who view a compromised profile page for seven seconds. Another, called CSRFer, sends unauthorized friend requests from a target user. But Hamiel says that there are plenty more ways to attack social networks and that little can be done to defend them. "[An application] hooks into the social net about as deep as it can go," he says.

Comments

  • Credit and trustworth is the base of SNS
    Definately I agree to the points. Mostly every SNS has its own plugins or GUI softwares installed at users' desktop. Credit and trustworth is the base of SNS.
    Rate this comment: 12345

    zhaol
    09/18/2008
    Posts:1

Log In

Forgot your password?     Register »
Advertisement

Videos

Malleable Maps, Artistic Robots and Bubble Interfaces
Technology Review January/February 2010

Current Issue

Security in the Ether
Information technology's next grand challenge will be to secure the cloud--and prove we can trust it.
Advertisement
Advertisement
Advertisement
Subscribe to Technology Review's daily e-mail update. Enter your e-mail address

TECHNOLOGY RESOURCES
Advertisement
MIT Massachusetts Institute of Technology © 2010 Technology Review. All Rights Reserved.