Think social networking sites are already a hacker's paradise? Just wait.
Social networking sites so far have been hit mostly by annoying worm, adware, and phishing attacks. But these sites, such as MySpace, LinkedIn, Facebook, and Friendster, are also susceptible to more severe attacks, such SQL injection, denial of service, or worse. And they could be a springboard to more focused attacks on enterprises and individuals' personal data.
The advent of more interactive, Web 2.0-based apps eventually being added to these sites could expose them to much more sophisticated exploits than the recent Flash-based worm attack in a MySpace profile that redirects you to a blog on 9/11 conspiracy theories. And existing Ajax-based interactive apps can already be exploited on these sites today.
"There's a lot of code sitting back there on the server, and as they drop it to your desktop, it makes it faster and more interactive, but it also exposes a lot of business logic and allows the creation of nasty Ajax apps on the client side," says Dave Cole, director of Symantec Security Response.
Web 2.0 basically puts the power into the user's hands for content and how it's shared. It lets users access the applications to do things like searches, which typically happen behind the scenes, says Shane Coursen, senior technical consultant for Kaspersky Lab. "If those commands are used in a bad way, that could spell problems," he says.
SQL injection-type attacks, meanwhile, can do a lot more damage than a worm or adware: They could provide an attacker with access to a social networking site's entire database, for instance, says David Aitel, CTO of Immunity. "Every site is based on PHP in the front and MySQL in the back," he says. "As you sign up and fill in a form or login, if the site isn't doing the proper check of characters, an attacker could insert a SQL command and get access to all usernames" or other data about MySpace, he says.
But even more chilling is how attackers could use these sites as a foot in the door to a corporation, or to an individual's sensitive data, researchers say. Social networking sites don't collect the type of personal data big-time hackers crave -- social security numbers, credit-card numbers, and bank account data. But they could be used to stage an attack on that data. "MySpace could be used to get a dropper Trojan on a machine and set up a stakeout post," Cole says. "When the user goes to his or her corporate site, it would go ahead and steal his login credentials."
Or if a user gets infected on LinkedIn, for example, his banking information could be stolen when he does online banking.
Immunity's Aitel says an attacker could do reconnaissance on a company's assets or an individual's credit or financial data through a social networking site. "This would significantly help the first-stage of an attack, footprinting," Aitel says. And a financial predator could troll these sites for information, he says. Professional "networking" sites like LinkedIn, for instance, could be used for advanced fee scams, he says, which promise millions of dollars if you put up thousands of dollars first.
Social networking sites may not directly host valuable personal or financial data, but because of their sheer size and potential to hit multiple targets all in one place, they are becoming more attractive, and easy, marks. MySpace, for instance, now has the most traffic of any Website in the world. "It's one interface, one app, and a lot of people. That makes it a big target," says Kaspersky Lab's Coursen.
And it's easy to spam or phish these sites today. Dan Hubbard, vice president of security research for Websense, says. For attackers, it's much simpler and more lucrative than throwing out a big email net and seeing what they catch. "This shifts Web attacks to people."
MySpace has been the brunt of most attacks so far, including the so-called Samy worm that basically added over a million "friends" to "Samy's" list in a couple of hours, the infected banner ad that exploited an old Windows MetaFile flaw and the Macromedia Flash-based worm.
Users certainly know the risks of participating on these sites, but researchers say the onus is still on the social networking providers to tighten up their security. But can sites that are all about free access, freedom of expression, and meeting new people actually be secure without ruining the spirit of social networking?
It's a delicate balancing act, but experts say there are some security measures the sites could add without compromising the freeflow of human networking. "It's as simple as checking input on a form field," for instance, says Richard Stiennon, founder of IT-Harvest.
Symantec's Cole says MySpace is already beefing up authentication on its site. "They are probably going to limit how much control they give the user," says Cole. (MySpace and LinkedIn did not respond to requests for interviews.)
Social networking sites may have a little breathing room for now, though. "Attackers aren't really focusing [intensely] on them yet," Immunity's Aitel says. "They've mostly done some cross-site scripting and worms just to show they can, and in small groups, although what they could do did surprise a lot of people," he says.
Researchers at F-Secure recently decided to test just how prone social networking sites are to worm-based XSS attacks. They chose two sites (which they wouldn't disclose) that had a combined user community of 80 million and found over six potentially "wormable" XSS vulnerabilities in each site, according to a blog posted on F-Secure's Website.
The holes for XSS and other exploits are there. It's just a matter of time before social networking sites get hit harder, experts say. "And until cross-site scripting becomes bad for business like buffer overflows did for operating systems, they don't really care," Aitel says.
Kelly Jackson Higgins, Senior Editor, Dark Reading