The Black Hat security conference session this morning, “Satan is on Your Friend’s List,” about attacking social networks was hilarious, even though the implications of it are very serious for social network users and the companies that are building giant companies based upon them.
MySpace was the target today. But as the speakers pointed out, they picked it because it uses the OpenSocial platform and has the most complete list of features that will become standard in other networks. The basic problem with social networking security is that companies are having an awful time protecting personal data on a network that is meant to be open, said Nathan Hamiel, security consultant at Idea Information Security and associate professor at the University of Advancing Technology. His talk partner was Shawn Moyer, a security researcher at FishNet Security.
As the two researchers staged mock attacks against MySpace from faux accounts, they found vulnerabilities that they wondered if they should disclose. It turned out in many cases that the information was already published as part of the applications programming interfaces, or APIs, that are available to partners who develop applications for the social network.
“Just because they’re open doesn’t mean that it can’t be secure,” Hamiel said in an interview. “Open source networks are often more secure.”
One attack that they chronicled should be scary to all MySpace users. They showed how they could redirect a user to a malicious site that could give a hacker access to personal data in the inboxes or private photos on a user’s MySpace account. The attack works like this. The attacker posts a comment on a user’s MySpace page. Embedded within it is an invisible image which links to an external site outside of MySpace. The link can compromise the user’s account in a variety of ways. It can add a friend to a user’s account that the user never intended to accept. The researchers also showed how the same trick could be used to create a comment on a user’s page that could never be deleted.
MySpace’s security staff deleted some of the fake accounts Hamiel and Moyer used (only because one of the tests generated a lot of traffic). But the researchers, who noted that they had “benign payloads,” showed videos which showed how the attack worked in practice. MySpace hasn’t yet responded to a request for comment; their security experts attended the talk. The researchers also showed how easy it was to create a fake Linkedin account for one of their mutual friends (it took about three hours to build and then a day to recruit 50 friends), as well as a fake Twitter account. Those accounts can be used to befriend others and deceive them into granting access to personal information.
The researchers expressed more concern about the quality of code being created by third-party application developers who are creating software that runs on top of Facebook or MySpace. They showed how they could find out how people answered questions about their favorite sexual positions on a “Kamasutra Poll” on MySpace.
One of the problems is that people still tend to trust their social networks and the applications on them, even though they are no more secure than emails that come from out of the blue, Moyer said. That is evidenced by people, even in the security and government circles, who are “link whores,” or users who will befriend just about anybody. Hacking social networks yields much better results if they combine “social engineering” (deception based on the assumptions people make, such as trusting messages from their friends) and technical atttacks, Moyer said.
Given that hacking social networks has been in the news for years, I was shocked at how easy it was to pull off these attacks. I expect more from the social networks. And that mistaken level of trust is where bad hackers have an advantage.
Social networks such as MySpace and Facebook are built on their ability to link to photos, videos and other content stored on other sites, such as Flickr. So the answer to the problem isn’t to cut off that ability, Hamiel said in an interview. Rather, users should be aware that their personal data can easily escape from the network into the public, particularly at the hands of hackers. Paris Hilton’s photos on her private Facebook page were exposed earlier this year.
“The lesson is don’t put anything on a social network that can be used to discriminate against you,” Hamiel said. “Somebody, like an employer, will use it to make a decision about you, based on information such as sexual preference. If you share it, you should assume it’s going to become public.”
Both researchers said that Facebook’s upcoming launch of an electronic commerce platform should prove even scarier, since users will likely entrust Facebook with credit card information. Linkedin and Facebook have not yet responded for comment, while MySpace said it was looking into the matter.
MySpace, for its part, does have a warning system in place to tell users when they are navigating off site. They also have a filtering system in place to blacklist off-site links that lead to malware. And it has privacy and security settings that users can set that will offer them more protection. The question is whether MySpace can quickly close off some of the problems that the researchers mentioned.
Should people stop using social networks? No, said Hamiel. He noted there were better ways to architect the systems for security. For instance, he said that if users want to link to off-site assets such as photos, the social networks could limit the linking to established photo-sharing sites. That could limit user freedom, but it might reduce the amount of grief that comes from hacker attacks.