Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


08:45 AM
Connect Directly

Social Networking Gone Bad

Worms and adware attacks are just a taste of what social networking sites could face as they evolve and attackers get more focused

Think social networking sites are already a hacker's paradise? Just wait.

Social networking sites so far have been hit mostly by annoying worm, adware, and phishing attacks. But these sites, such as MySpace, LinkedIn, Facebook, and Friendster, are also susceptible to more severe attacks, such SQL injection, denial of service, or worse. And they could be a springboard to more focused attacks on enterprises and individuals' personal data.

The advent of more interactive, Web 2.0-based apps eventually being added to these sites could expose them to much more sophisticated exploits than the recent Flash-based worm attack in a MySpace profile that redirects you to a blog on 9/11 conspiracy theories. And existing Ajax-based interactive apps can already be exploited on these sites today.

"There's a lot of code sitting back there on the server, and as they drop it to your desktop, it makes it faster and more interactive, but it also exposes a lot of business logic and allows the creation of nasty Ajax apps on the client side," says Dave Cole, director of Symantec Security Response.

Web 2.0 basically puts the power into the user's hands for content and how it's shared. It lets users access the applications to do things like searches, which typically happen behind the scenes, says Shane Coursen, senior technical consultant for Kaspersky Lab. "If those commands are used in a bad way, that could spell problems," he says.

SQL injection-type attacks, meanwhile, can do a lot more damage than a worm or adware: They could provide an attacker with access to a social networking site's entire database, for instance, says David Aitel, CTO of Immunity. "Every site is based on PHP in the front and MySQL in the back," he says. "As you sign up and fill in a form or login, if the site isn't doing the proper check of characters, an attacker could insert a SQL command and get access to all usernames" or other data about MySpace, he says.

But even more chilling is how attackers could use these sites as a foot in the door to a corporation, or to an individual's sensitive data, researchers say. Social networking sites don't collect the type of personal data big-time hackers crave -- social security numbers, credit-card numbers, and bank account data. But they could be used to stage an attack on that data. "MySpace could be used to get a dropper Trojan on a machine and set up a stakeout post," Cole says. "When the user goes to his or her corporate site, it would go ahead and steal his login credentials."

Or if a user gets infected on LinkedIn, for example, his banking information could be stolen when he does online banking.

Immunity's Aitel says an attacker could do reconnaissance on a company's assets or an individual's credit or financial data through a social networking site. "This would significantly help the first-stage of an attack, footprinting," Aitel says. And a financial predator could troll these sites for information, he says. Professional "networking" sites like LinkedIn, for instance, could be used for advanced fee scams, he says, which promise millions of dollars if you put up thousands of dollars first.

Social networking sites may not directly host valuable personal or financial data, but because of their sheer size and potential to hit multiple targets all in one place, they are becoming more attractive, and easy, marks. MySpace, for instance, now has the most traffic of any Website in the world. "It's one interface, one app, and a lot of people. That makes it a big target," says Kaspersky Lab's Coursen.

And it's easy to spam or phish these sites today. Dan Hubbard, vice president of security research for Websense, says. For attackers, it's much simpler and more lucrative than throwing out a big email net and seeing what they catch. "This shifts Web attacks to people."

MySpace has been the brunt of most attacks so far, including the so-called Samy worm that basically added over a million "friends" to "Samy's" list in a couple of hours, the infected banner ad that exploited an old Windows MetaFile flaw and the Macromedia Flash-based worm.

Users certainly know the risks of participating on these sites, but researchers say the onus is still on the social networking providers to tighten up their security. But can sites that are all about free access, freedom of expression, and meeting new people actually be secure without ruining the spirit of social networking?

It's a delicate balancing act, but experts say there are some security measures the sites could add without compromising the freeflow of human networking. "It's as simple as checking input on a form field," for instance, says Richard Stiennon, founder of IT-Harvest.

Symantec's Cole says MySpace is already beefing up authentication on its site. "They are probably going to limit how much control they give the user," says Cole. (MySpace and LinkedIn did not respond to requests for interviews.)

Social networking sites may have a little breathing room for now, though. "Attackers aren't really focusing [intensely] on them yet," Immunity's Aitel says. "They've mostly done some cross-site scripting and worms just to show they can, and in small groups, although what they could do did surprise a lot of people," he says.

Researchers at F-Secure recently decided to test just how prone social networking sites are to worm-based XSS attacks. They chose two sites (which they wouldn't disclose) that had a combined user community of 80 million and found over six potentially "wormable" XSS vulnerabilities in each site, according to a blog posted on F-Secure's Website.

"We stopped looking after finding half a dozen, but we are sure there are a lot more holes in there," wrote an F-Secure researcher in the blog. "With about a day's work a malicious attacker with a half-decent knowledge of javascript could create a worm using just one of these vulnerabilities."

The holes for XSS and other exploits are there. It's just a matter of time before social networking sites get hit harder, experts say. "And until cross-site scripting becomes bad for business like buffer overflows did for operating systems, they don't really care," Aitel says.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Kaspersky Lab
  • Symantec Corp. (Nasdaq: SYMC)

    Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Microsoft Patches Wormable RCE Vulns in Remote Desktop Services
    Kelly Sheridan, Staff Editor, Dark Reading,  8/13/2019
    The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
    Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
    GitHub Named in Capital One Breach Lawsuit
    Dark Reading Staff 8/14/2019
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Write a Caption, Win a Starbucks Card! Click Here
    Latest Comment: This comment is waiting for review by our moderators.
    Current Issue
    7 Threats & Disruptive Forces Changing the Face of Cybersecurity
    This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
    Flash Poll
    The State of IT Operations and Cybersecurity Operations
    The State of IT Operations and Cybersecurity Operations
    Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2019-08-19
    In the OAuth2 Client extension before 0.4 for MediaWiki, a CSRF vulnerability exists due to the OAuth2 state parameter not being checked in the callback function.
    PUBLISHED: 2019-08-19
    An issue was discovered in drivers/scsi/aacraid/commctrl.c in the Linux kernel before 4.13. There is potential exposure of kernel stack memory because aac_get_hba_info does not initialize the hbainfo structure.
    PUBLISHED: 2019-08-19
    An issue was discovered in drivers/i2c/i2c-core-smbus.c in the Linux kernel before 4.14.15. There is an out of bounds write in the function i2c_smbus_xfer_emulated.
    PUBLISHED: 2019-08-19
    An issue was discovered in net/rds/af_rds.c in the Linux kernel before 4.11. There is an out of bounds write and read in the function rds_recv_track_latency.
    PUBLISHED: 2019-08-19
    An issue was discovered in fs/xfs/xfs_super.c in the Linux kernel before 4.18. A use after free exists, related to xfs_fs_fill_super failure.