Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


08:45 AM
Connect Directly

Social Networking Gone Bad

Worms and adware attacks are just a taste of what social networking sites could face as they evolve and attackers get more focused

Think social networking sites are already a hacker's paradise? Just wait.

Social networking sites so far have been hit mostly by annoying worm, adware, and phishing attacks. But these sites, such as MySpace, LinkedIn, Facebook, and Friendster, are also susceptible to more severe attacks, such SQL injection, denial of service, or worse. And they could be a springboard to more focused attacks on enterprises and individuals' personal data.

The advent of more interactive, Web 2.0-based apps eventually being added to these sites could expose them to much more sophisticated exploits than the recent Flash-based worm attack in a MySpace profile that redirects you to a blog on 9/11 conspiracy theories. And existing Ajax-based interactive apps can already be exploited on these sites today.

"There's a lot of code sitting back there on the server, and as they drop it to your desktop, it makes it faster and more interactive, but it also exposes a lot of business logic and allows the creation of nasty Ajax apps on the client side," says Dave Cole, director of Symantec Security Response.

Web 2.0 basically puts the power into the user's hands for content and how it's shared. It lets users access the applications to do things like searches, which typically happen behind the scenes, says Shane Coursen, senior technical consultant for Kaspersky Lab. "If those commands are used in a bad way, that could spell problems," he says.

SQL injection-type attacks, meanwhile, can do a lot more damage than a worm or adware: They could provide an attacker with access to a social networking site's entire database, for instance, says David Aitel, CTO of Immunity. "Every site is based on PHP in the front and MySQL in the back," he says. "As you sign up and fill in a form or login, if the site isn't doing the proper check of characters, an attacker could insert a SQL command and get access to all usernames" or other data about MySpace, he says.

But even more chilling is how attackers could use these sites as a foot in the door to a corporation, or to an individual's sensitive data, researchers say. Social networking sites don't collect the type of personal data big-time hackers crave -- social security numbers, credit-card numbers, and bank account data. But they could be used to stage an attack on that data. "MySpace could be used to get a dropper Trojan on a machine and set up a stakeout post," Cole says. "When the user goes to his or her corporate site, it would go ahead and steal his login credentials."

Or if a user gets infected on LinkedIn, for example, his banking information could be stolen when he does online banking.

Immunity's Aitel says an attacker could do reconnaissance on a company's assets or an individual's credit or financial data through a social networking site. "This would significantly help the first-stage of an attack, footprinting," Aitel says. And a financial predator could troll these sites for information, he says. Professional "networking" sites like LinkedIn, for instance, could be used for advanced fee scams, he says, which promise millions of dollars if you put up thousands of dollars first.

Social networking sites may not directly host valuable personal or financial data, but because of their sheer size and potential to hit multiple targets all in one place, they are becoming more attractive, and easy, marks. MySpace, for instance, now has the most traffic of any Website in the world. "It's one interface, one app, and a lot of people. That makes it a big target," says Kaspersky Lab's Coursen.

And it's easy to spam or phish these sites today. Dan Hubbard, vice president of security research for Websense, says. For attackers, it's much simpler and more lucrative than throwing out a big email net and seeing what they catch. "This shifts Web attacks to people."

MySpace has been the brunt of most attacks so far, including the so-called Samy worm that basically added over a million "friends" to "Samy's" list in a couple of hours, the infected banner ad that exploited an old Windows MetaFile flaw and the Macromedia Flash-based worm.

Users certainly know the risks of participating on these sites, but researchers say the onus is still on the social networking providers to tighten up their security. But can sites that are all about free access, freedom of expression, and meeting new people actually be secure without ruining the spirit of social networking?

It's a delicate balancing act, but experts say there are some security measures the sites could add without compromising the freeflow of human networking. "It's as simple as checking input on a form field," for instance, says Richard Stiennon, founder of IT-Harvest.

Symantec's Cole says MySpace is already beefing up authentication on its site. "They are probably going to limit how much control they give the user," says Cole. (MySpace and LinkedIn did not respond to requests for interviews.)

Social networking sites may have a little breathing room for now, though. "Attackers aren't really focusing [intensely] on them yet," Immunity's Aitel says. "They've mostly done some cross-site scripting and worms just to show they can, and in small groups, although what they could do did surprise a lot of people," he says.

Researchers at F-Secure recently decided to test just how prone social networking sites are to worm-based XSS attacks. They chose two sites (which they wouldn't disclose) that had a combined user community of 80 million and found over six potentially "wormable" XSS vulnerabilities in each site, according to a blog posted on F-Secure's Website.

"We stopped looking after finding half a dozen, but we are sure there are a lot more holes in there," wrote an F-Secure researcher in the blog. "With about a day's work a malicious attacker with a half-decent knowledge of javascript could create a worm using just one of these vulnerabilities."

The holes for XSS and other exploits are there. It's just a matter of time before social networking sites get hit harder, experts say. "And until cross-site scripting becomes bad for business like buffer overflows did for operating systems, they don't really care," Aitel says.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Kaspersky Lab
  • Symantec Corp. (Nasdaq: SYMC)

    Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    5 Ways to Up Your Threat Management Game
    Wayne Reynolds, Advisory CISO, Kudelski Security,  2/26/2020
    Exploitation, Phishing Top Worries for Mobile Users
    Robert Lemos, Contributing Writer,  2/28/2020
    Kr00k Wi-Fi Vulnerability Affected a Billion Devices
    Robert Lemos, Contributing Writer,  2/26/2020
    Register for Dark Reading Newsletters
    White Papers
    Current Issue
    6 Emerging Cyber Threats That Enterprises Face in 2020
    This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
    Flash Poll
    State of Cybersecurity Incident Response
    State of Cybersecurity Incident Response
    Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2020-02-28
    On the QFX3500 and QFX3600 platforms, the number of bytes collected from the RANDOM_INTERRUPT entropy source when the device boots up is insufficient, possibly leading to weak or duplicate SSH keys or self-signed SSL/TLS certificates. Entropy increases after the system has been up and running for so...
    PUBLISHED: 2020-02-28
    Background For regular, unencrypted FTP traffic, the FTP ALG can inspect the unencrypted control channel and open related sessions for the FTP data channel. These related sessions (gates) are specific to source and destination IPs and ports of client and server. The design intent of the ftps-extensi...
    PUBLISHED: 2020-02-28
    An open redirect is present on the gateway's login page, which could cause a user to be redirected to a malicious site after logging in.
    PUBLISHED: 2020-02-28
    A reflected XSS vulnerability exists within the gateway, allowing an attacker to craft a specialized URL which could steal the user's authentication token. When combined with CVE-2020-6803, an attacker could fully compromise the system.
    PUBLISHED: 2020-02-28
    BigFix Self-Service Application (SSA) is vulnerable to arbitrary code execution if Javascript code is included in Running Message or Post Message HTML.